Verifying and checksumming new release is somewhat cumbersom

john doe johndoe65534 at mail.com
Thu Nov 26 19:12:27 CET 2020


Hello all,

I see that at (1) and (2) the public keys block and the sha1sums
respectively are listed on their corresponding page.

Is there a URL to download those sha1sums and those public keyss as  files?

That is for checksumming I could simply do:

$ wget <URL-OF-CHECKSUM-FILE>
$ sha1sum -c <CHECKSUM-FILE> --ignore-missing

and for the public key I could do something like:

$ wget <URL-OF-PUBLIC-KEYS>
$ gpg --import <PUBLIC-KEYS-FILES>
$ gpg --verify *.sig

I understand that for this last step I could also do:

$ gpg --keyserver-options auto-key-retrieve veirfy *.sig


Any feedback is appreciated.

P.S.

If I can I'll be more than happy to help tweaking the release process in
that regard.


1)  https://gnupg.org/download/integrity_check.html
2)  https://gnupg.org/signature_key.html

--
John Doe



More information about the Gnupg-users mailing list