On Friday, 1 November 2024 10:20:14 GMT Jakob Bohm via Gnupg-users wrote: > Unless the speedo make target actively checks each download against a > strong hash stored in the initial gnupg tarball
It does, actually. More precisely, it checks each download against a strong hash stored in a swdb.lst file. Granted, that file is not in the original tarball and is instead downloaded from an online source, but its signature is verified against GnuPG’s release signing key, which IS in the original tarbal (g10/distsigkey.gpg). - Damien
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
