manWineFR - Cookbook: recipe #116, Checking authenticity of files in...

Show feedback again

recipe #116, Source Code Managers: Checking authenticity of files in the download area

To check the authenticity of a file, one of the best tools currently available is GPG. We will not describe here what is GnuPG and how it works: if you are looking for that information, check the GnuPG documentation.

You can use GnuPG to check the authenticity of a file only if this file has been signed with GnuPG in first place.

Download the file you are interested in and its signature. The signature is usually named after the file with a .sig. For instance, at , you can download pdbv-2.0.9.tar.gz (the file) and pdbv-2.0.9.tar.gz.sig (the signature).

Use GnuPG to compare the files:

If it says that the relevant public key is not found, you must import the public keyring of the project to which the file belongs.
On the project main project page through Savane, , there's a pointer to the GPG Keyring of the project. Get there and you'll find available for download and import the keyring. Once the keyring imported, redo the same command as before.

If it says the signature is correct, the authenticity of the file is confirmed. Indeed, the signature should belong to a member of the project.

Note that automated checks are performed. Normally, questionable files (files for which verification failed) should have been moved into subdirectories called maybe-corrupted.

Last update: Tue Oct 31 17:09:47 2006
This recipe comes from Gna! User Docs






Audience and Context

   Anonymous Users, Logged-in Users, All Project Members
   Download Area

(As there is at least one of the Audience/Feature/Action context information not set, this recipe will not show up in related recipes links)

Show feedback again

Back to the top

Powered by Savane 3.1-cleanup