[Alpine-info] How do I use gpg to verify alpine-2.26.zip?

[NM Public via Alpine-info]

Thank you very much Carlos. Your steps, especially the two steps quoted 
below worked for me (using Git Bash on Windows)!

If I write about this on www.ii.com, do you mind if I include your steps 
in my article? I will of course give you credit and link to you - 
please send me a good link to use for you.

Thanks!
Nancy
   happy to be able to use PC-Alpine on this kind of new PC

PS - this is the first non-test message I'm sending from PC-Alpine 2.26 :)



On Thu, 11 Apr 2024, Carlos E. R. via Alpine-info wrote:


> cer at Telcontar:~/tmp/alpine> gpg --import alpine.chappa at yandex.com.gpg gpg: 

> key BEB04EE9EA8259AD: "alpine.chappa at yandex.com" not changed

> gpg: Total number processed: 1

> gpg:              unchanged: 1



> cer at Telcontar:~/tmp/alpine> gpg --verify alpine-2.26.tar.xz.sig 

> alpine-2.26.tar.xz

> gpg: Signature made 2022-06-03T02:14:17 CEST

> gpg:                using RSA key 7BCC14640B206433AC2D511FBEB04EE9EA8259AD

> gpg: Good signature from "alpine.chappa at yandex.com" [unknown]

> gpg:                 aka "Eduardo Chappa <eduardo.chappa at outlook.com>" 

> [unknown]

> gpg: WARNING: This key is not certified with a trusted signature!

> gpg:          There is no indication that the signature belongs to the owner.

> Primary key fingerprint: 7BCC 1464 0B20 6433 AC2D  511F BEB0 4EE9 EA82 59AD

>

>

> That's the procedure for verifying the sources (although there is a chain of 

> trust problem in what I did). You can not gpg verify the windows binary 

> because the signature is not published.