How to verify DMD download with GPG?
Ola Fosheim Grøstad
ola.fosheim.grostad at gmail.com
Tue Feb 8 10:17:19 UTC 2022
I don't use GPG often, so I probably did something wrong, and
failed to get a trusted verification. I do like the idea that a
hacker cannot change the signature file if gaining access to the
web/file hosts, but how to verify it in secure way?
I did this:
```
/opt/local/bin/gpg --keyring ./d-keyring.gpg --verify
dmd.2.098.1.osx.tar.xz.sig dmd.2.098.1.osx.tar.xz
gpg: Signature made søn 19 des 22:35:47 2021 CET
gpg: using RSA key
3AAF1A18E61F6FAA3B7193E4DB8C5218B9329CF8
gpg: Good signature from "Martin Nowak <code at dawg.eu>" [unknown]
gpg: aka "Martin Nowak
<martin.nowak at 7learnings.com>" [unknown]
gpg: aka "Martin Nowak <martin at dlang.org>"
[unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs
to the owner.
Primary key fingerprint: F46A 10D0 AB44 C3D1 5DD6 5797 BCDD 73FF
C3EB 6146
Subkey fingerprint: 3AAF 1A18 E61F 6FAA 3B71 93E4 DB8C 5218
B932 9CF8
```
I also did not find the key listed here:
https://dlang.org/download.html
More information about the Digitalmars-d-learn
mailing list