[Alpine-info] How do I use gpg to verify alpine-2.26.zip?
Carlos E. R. via Alpine-info
alpine-info at u.washington.edu
Wed Apr 10 18:11:15 PDT 2024
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday, 2024-04-10 at 21:18 -0000, ɯ u via Alpine-info wrote:
> Hi, I'm a long-time Pine/Alpine user and just noticed I'm mentioned on
> https://alpineapp.email/alpine/alpine-info/tips/ - thanks! :)
>
> After many years of using an old Alpine, I'm in the midst of installing
> Alpine 2.26 on one of my Windows devices. I downloaded alpine-2.26.zip
> from here:
>
> https://alpineapp.email/
>
> I verified the checksum and now want to check the integrity with gpg,
> but I need some help. I don't know much about gpg, but I was able to use
> these instructions to verify the Mullvad Browser signature:
>
> Verifying Mullvad Browser signature
> https://mullvad.net/en/help/verifying-mullvad-browser-signature
>
> After doing that, I thought OK, now I can kind of use these instructions
> to verify alpine-2.26.zip. I downloaded Eduardo's GPG public key from:
>
> https://alpineapp.email/alpine/gpg/alpine.chappa@yandex.com.gpg
>
> But what do I do now? I'm thinking that I need a file named something
> like alpine-2.26.zip.asc? I'd appreciate any help.
At that page you can read:
Source Code alpine-2.26.tar.xz
MD5: 0943b31c476276e924b02afbfaf98392
SHA256: c0779c2be6c47d30554854a3e14ef5e36539502b331068851329275898a9baba
GPG Signature: alpine-2.26.tar.xz.sig.
You can verify the "alpine-2.26.tar.xz" file with the signature
"alpine-2.26.tar.xz.sig" and Eduardo public key.
cer at Telcontar:~/tmp/alpine> gpg --verify alpine-2.26.tar.xz.sig alpine-2.26.tar.xz
gpg: Signature made 2022-06-03T02:14:17 CEST
gpg: using RSA key 7BCC14640B206433AC2D511FBEB04EE9EA8259AD
gpg: Can't check signature: No public key
cer at Telcontar:~/tmp/alpine>
cer at Telcontar:~/tmp/alpine> wget https://alpineapp.email/alpine/gpg/alpine.chappa@yandex.com.gpg
- --2024-04-11 03:01:56-- https://alpineapp.email/alpine/gpg/alpine.chappa@yandex.com.gpg
Resolving alpineapp.email (alpineapp.email)... 198.91.87.65
Connecting to alpineapp.email (alpineapp.email)|198.91.87.65|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3984 (3,9K) [application/x-msdownload]
Saving to: ‘alpine.chappa at yandex.com.gpg’
alpine.chappa at yandex.com.gpg 100%[=============================================>] 3,89K --.-KB/s in 0s
2024-04-11 03:01:57 (798 MB/s) - ‘alpine.chappa at yandex.com.gpg’ saved [3984/3984]
cer at Telcontar:~/tmp/alpine> l
total 7364
drwxr-xr-x 2 cer users 98 Apr 11 03:01 ./
drwxr-xr-x 158 cer users 8192 Apr 11 02:58 ../
- -rw-r--r-- 1 cer users 7517628 Jun 3 2022 alpine-2.26.tar.xz
- -rw-r--r-- 1 cer users 566 Jun 3 2022 alpine-2.26.tar.xz.sig
- -rw-r--r-- 1 cer users 3984 Jun 15 2022 alpine.chappa at yandex.com.gpg
cer at Telcontar:~/tmp/alpine>
cer at Telcontar:~/tmp/alpine> gpg --import alpine.chappa at yandex.com.gpg
gpg: key BEB04EE9EA8259AD: "alpine.chappa at yandex.com" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
cer at Telcontar:~/tmp/alpine> gpg --verify alpine-2.26.tar.xz.sig alpine-2.26.tar.xz
gpg: Signature made 2022-06-03T02:14:17 CEST
gpg: using RSA key 7BCC14640B206433AC2D511FBEB04EE9EA8259AD
gpg: Good signature from "alpine.chappa at yandex.com" [unknown]
gpg: aka "Eduardo Chappa <eduardo.chappa at outlook.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7BCC 1464 0B20 6433 AC2D 511F BEB0 4EE9 EA82 59AD
cer at Telcontar:~/tmp/alpine>
That's the procedure for verifying the sources (although there is a chain
of trust problem in what I did). You can not gpg verify the windows binary
because the signature is not published.
- --
Cheers,
Carlos E. R.
(from openSUSE 15.5 x86_64 at Telcontar)
-----BEGIN PGP SIGNATURE-----
iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZhc4tBwccm9iaW4ubGlz
dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVnuUAnj5hzEJnu2xAI4kFm7Hk
8J3lgb7MAJsEuhip3dQ3zLQM/S/YvYHlw8BMSw==
=39Gg
-----END PGP SIGNATURE-----
More information about the Alpine-info
mailing list