Verifying and checksumming new release is somewhat cumbersom

john doe johndoe65534 at
Sat Nov 28 07:57:05 CET 2020

On 11/26/2020 9:10 PM, Werner Koch wrote:
> Hi,
> and thanks for asking.

Thanks for this.

To be sure that I understand you correctly, I took the liberty of
rewording your answers.

> On Thu, 26 Nov 2020 19:12, john doe said:
>> Is there a URL to download those sha1sums and those public keyss as  files?
> The problem with sha1sums is that a single publication would be easy to
> fake.  The only known countermeasure is to widely distribute them.  We
> do have them on the website as you noticed, they are send out by signed
> mail to several thousand subscribers, and our and other mail archives
> carry the release announcement with the checksums.

If I look at Debian (1) for example, the checksum file is gpg signed.
Assuming that I understand correctly, the Debian approach is not a safe
way to make the checksums available?propagate?

> No, there is no single file with the checksums because that would be a
> too easy target for an attacker.

Even if the file would be gpg signed?

>> and for the public key I could do something like:
>> $ wget <URL-OF-PUBLIC-KEYS>
>> $ gpg --import <PUBLIC-KEYS-FILES>
>> $ gpg --verify *.sig
> And please check the printed fingerprint against copies of the
> fingerprint distributed in the same way as the checksums.  The keys are
> also quite well connected in the Web-of-Trust, which can also help to to
> validate them.

You mean by checking if the  fingerprint of the downloaded keys match
the one listed on the web site?

> The advantage of the public keys and the fingerprints is that they do
> not change and thus you only need to validate them once once and sign
> the keys so that you can trust them in the future.

Okay, if the fingerprints matches I should sign the keys with mine.

>> I understand that for this last step I could also do:
>> $ gpg --keyserver-options auto-key-retrieve veirfy *.sig
> Don't.  For verification always use
>     gpg --verify file.sig file

Okay, won't do that anymore.

> and check the output well.  If you need to automate this, use gpgv and
> put all the trusted signing keys into a dedicated keyring.  For
> automating this with gpg, I would suggest to write a gpgme based tool.

If I want to verify a new release,:
- Manually: take advantage of gpgv
- Unattended: use a wrapper around gpgme

Your input is much appriciated.


John Doe

More information about the Gnupg-users mailing list