How to verify DMD download with GPG?
Ola Fosheim Grøstad
ola.fosheim.grostad at gmail.com
Wed Feb 16 07:35:57 UTC 2022
On Monday, 14 February 2022 at 18:12:25 UTC, Era Scarecrow wrote:
> For Linux sources there's MD5 and SHA-1 hashes i believe. If
> you have two or three hashes for comparison, the likelyhood of
> someone changing something without those two changing seems
> VEEEERY low.
I usually grab the sources from github, but for binaries I'd like
higher resolution SHAs presented on a secured server, different
from the one hosting the files. The main concern is that hackers
might obtain the access to both the binary and the website that
presents the SHA…
PGP is good in theory, but if the keys are presented in a context
that isn't secured then what good use it is? There ought to be
some central authority for PGP/GPG, it isn't all that difficult
to implement either. The central authority could verify the
email. Without that SHA is easier to deal with…
More information about the Digitalmars-d-learn
mailing list