Minor FAQ updates
p.lebbing at student.utwente.nl
Sat Feb 6 14:34:05 CET 2016
On 06/02/16 12:51, Robert J. Hansen wrote:
> There are no other changes to speak of. The FAQ is current, the
> contents are accurate.
I disagree on one point. It's about this thread from November 2014:
On 11/11/14 12:09, Werner Koch wrote:
> On Tue, 11 Nov 2014 11:00, peter at digitalbrains.com said:
>> If the warning is triggered by existence of a file without the
>> .sig extension, it does suggest to me that people should not rely
>> on the warning and thus always specify both the signature file and
>> the signed file on the command line. Because they might infer by
>> absence of the
> Indeed, this should always be done. [...]
Section 8.19 says:
> 3. Download the software package. Let’s assume it’s called
> 4. Download the detached signature for the package. Let’s assume it’s
> called “foo.zip.asc”.
> 5. Run:
> gpg foo.zip.asc
> GnuPG will assume the original file is in foo.zip. (If GnuPG can’t
> find foo.zip, GnuPG will prompt you for the name of the original
> package.) If all goes well, GnuPG will report good signatures and you
> may be confident you've received the package as the author intended.
I think this should be changed to read:
gpg --verify foo.zip.asc foo.zip
This will verify foo.zip using the signature in foo.zip.asc. If all goes
well, GnuPG will report good signatures and you may be confident you've
received the package as the author intended.
And perhaps readers of the FAQ should be made aware (in the same
section) that the old advice is no longer considered good practice,
since the old advice is obviously all over the internet.
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users