dmd download sig file, how do I use it

[Seb]

On Sunday, 25 March 2018 at 03:17:51 UTC, Ali wrote:
> Hi All,
>
> The DMD download is accompanied with a sig file
> How exactly do I use this sig file
> I am assuming I can use it in place of checksum to verify the 
> download
>
> And to be honest, I have almost zero knowledge for gpg and 
> encryption
> I googled a little but, didnt exactly find what I was hoping to 
> find
>
> I tried the following command
>> gpg --verify dmd_2.079.0-0_amd64.deb.sig 
>> dmd_2.079.0-0_amd64.deb
>
> which returns
>
>  gpg: Signature made Fri 02 Mar 2018 01:47:57 PM EST
>  gpg:                using RSA key B273811612BB1939
>  gpg: Can't check signature: No public key
>
>
> I guess this means, the file is not verified
> So how can I do a complete verification?
>
> I also downloaded the keryring file, from link in the download 
> page
> but also couldnt figure out how to use it
>
> Any explanation of how this gpg sig key works and how to use it 
> to verify the download
> would be appreciated
>
> thanks

The official install script takes care of this automatically:

https://dlang.org/install.html

If you want to do this manually, you need to grab the D keyring 
from here:

https://dlang.org/gpg_keys.html

And here's how you would verify the signature automatically like 
e.g.

gpg --verify --keyring ~/dlang/d-keyring.gpg --no-default-keyring 
dmd.2.079.0.linux.tar.xz.sig dmd.2.079.0.linux.tar.xz

It's also possible to permanently add this keyring to your 
installation with e.g. gpg --import ~/dlang/d-keyring.gpg

(Note: the individual keys in the keyring are currently expired 
and we are working on rolling out a new keyring, but that doesn't 
affect yverifying the existing signatures.)