How to verify the GPG signature? #31
Comments
|
I'm a newbie to both Git and GitHub; I didn't know you could upload GPG keys - I guess I should research that. I created and signed the tarballs on my own computer, then uploaded the files to GitHub. My public key does still seem to be on at least one keyserver: $ gpg --keyserver keyserver.ubuntu.com --search-keys philip.hazel I hope that helps. |
|
Hi, thanks - I finally got it. Trying to import from the ubuntu keyserver results in $ curl https://github.com/web-flow.gpg | gpg --import
<snip>
$ gpg --keyserver hkps://pgp.surf.nl --recv-keys 45F68D54BBE23FB3039B
<snip>
$ LANG=C gpg --verify pcre2-10.38.tar.gz.sig pcre2-10.38.tar.gz
gpg: Signature made Fri Oct 1 17:42:07 2021 CEST
gpg: using RSA key 45F68D54BBE23FB3039B46E59766E084FB0F43D8
gpg: Good signature from "Philip Hazel <ph10@hermes.cam.ac.uk>" [unknown]
gpg: aka "Philip Hazel <ph10@cam.ac.uk>" [unknown]
gpg: aka "Philip Hazel <ph10@cus.cam.ac.uk>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 45F6 8D54 BBE2 3FB3 039B 46E5 9766 E084 FB0F 43D8So that's woring now. |
Hi, sorry for stupid non pcre2 questions here ;-)
In the releases, there's a
.sigfile where I can find a verification signature for the tar-balls. Trying to verify it failed until now, because I'm unable to find an importable key for it yet. GPG itself claimsfor a random keyserver I tried. Loading the key from github tells me:
which seems odd, because you've verified commits and signed tar-balls. Any hints?
The text was updated successfully, but these errors were encountered: