[gna-help] [recipe #116] Checking authenticity of files in the Download Area

Find in this group all groups

Home Log In Sign Up FAQ

Unknown

more information…

h : help@gna.org

25 November 2005 • 12:29AM -0500

[gna-help] [recipe #116] Checking authenticity of files in the Download Area
by Mathieu Roy

Google me that

REPLY TO AUTHOR

Google me that

REPLY TO GROUP

URL:
  <http://gna.org/cookbook/?func=detailitem&item_id=116>

        Summary/Question: Checking authenticity of files in the Download Area
                 Project: Gna! Administration
            Submitted by: yeupou
            Submitted on: jeudi 24.11.2005 à 17:29
                Category: Source Code Managers
              Importance: 3 - Normal
                  Status: Approved
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open

    _______________________________________________________

Details:

To check the authenticity of a file, one of the best tools currently
available is GPG. We will not describe here what is GnuPG and how it
works: if you are looking for that information, check the GnuPG
documentation.

You can use GnuPG to check the authenticity of a file only if this
file has been signed with GnuPG in first place.

Download the file you are interested in and its signature. The
signature is usually named after the file with a .sig. For instance,
at http://download.gna.org/pdbv/pdbv.perl.pkg/2.0.9/ , you can download
pdbv-2.0.9.tar.gz (the file) and pdbv-2.0.9.tar.gz.sig (the
signature).

Use GnuPG to compare the files:
<i>gpg --verify pdbv-2.0.9.tar.gz.sig</i>

If it says that the relevant public key is not found, you must
import the public keyring of the project to which the file belongs.
On the project main project page through Savane, http://gna.org/projects/pdbv
, there's a pointer to the GPG Keyring of the project. Get there and you'll
find available for download and import the keyring. Once the keyring
imported, redo the same command as before.

If it says the signature is correct, the authenticity of the file
is confirmed. Indeed, the signature should belong to a member of
the project.

Note that automated checks are performed. Normally, questionable files (files
for which verification failed) should have been moved into subdirectories
called <i>maybe-corrupted</i>.

    _______________________________________________________

Reply to this item at:

  <http://gna.org/cookbook/?func=detailitem&item_id=116>

_______________________________________________
  Message posté via/par Gna!
  http://gna.org/

_______________________________________________
Help mailing list
Help@gna....
http://mail.gna.org:8080/listinfo/help

Bookmark with:

Delicious

Digg

Facebook

StumbleUpon

Related Messages

opensubscriber is not affiliated with the authors of this message nor responsible for its content.