Hard to find alternate source of checksums

Jeff Martin jmtechwork at gmail.com
Sat Jun 16 19:47:31 CEST 2018


Lee wrote:
> So you still need to find a release announcement on 2 or 3 different
> sites to check the signing key fingerprints.

You have hit the heart of my problem. I cannot find these 2 or 3 different sites
That is why I came to this mailing list: for hints on how to find
these other sites.
My DDG & Goole searches were not enough.


On Mon, Jun 11, 2018 at 9:14 AM, Lee <ler762 at gmail.com> wrote:
> On 6/11/18, NdK   wrote:
>> Il 09/06/2018 19:08, Jeff Martin ha scritto:
>>> For a fresh install of GnuPG, I was following the integrity check
>>> directions. I have no prior version for GnuPG.
>> Why not fetch some (unrelated) live distributions, possibly some older
>> ones and some newer ones?
>>
>> GPG is usually included and you can use it to check the signatures.
>
> If you're not trusting the checksums listed on the website you're not
> trusting the signing key fingerprints listed on the site either.  So
> you still need to find a release announcement on 2 or 3 different
> sites to check the signing key fingerprints.  And know enough to make
> sure the auto key retrieval function in GPG is turned off in your live
> distro
>
> Lee



-- 
Jeff Martin
iOS Developer



More information about the Gnupg-users mailing list