How to verify DMD download with GPG?

Ola Fosheim Grøstad ola.fosheim.grostad at
Wed Feb 16 07:35:57 UTC 2022

On Monday, 14 February 2022 at 18:12:25 UTC, Era Scarecrow wrote:
>  For Linux sources there's MD5 and SHA-1 hashes i believe. If 
> you have two or three hashes for comparison, the likelyhood of 
> someone changing something without those two changing seems 
> VEEEERY low.

I usually grab the sources from github, but for binaries I'd like 
higher resolution SHAs presented on a secured server, different 
from the one hosting the files. The main concern is that hackers 
might obtain the access to both the binary and the website that 
presents the SHA…

PGP is good in theory, but if the keys are presented in a context 
that isn't secured then what good use it is? There ought to be 
some central authority for PGP/GPG, it isn't all that difficult 
to implement either. The central authority could verify the 
email. Without that SHA is easier to deal with…

More information about the Digitalmars-d-learn mailing list