Hi,
I always like to be able to download the pubkeys and signatures so I can verify the downloads before doing the installation.
gpg2 gives me these diagnostics:
geany-2.0.tar.bz2.sig Good signature from "Colomban Wendling ban@ban.netlib.re" [expired]
geany-2.0.tar.gz.sig Good signature from "Colomban Wendling ban@ban.netlib.re" [expired]
geany-2.0_setup.exe.sig Good signature from "Enrico Tröger enrico.troeger@uvena.de" [unknown]
and for geany-plugins-2.0.*.sig
gpg: Signature made Oct 19, 2023 xx:xx:xx MDT gpg: using EDDSA key 23C0ACC6C2A22D6EB8A98563EC3A8C6CF6546888 gpg: requesting key EC3A8C6CF6546888 from hkp://pgp.surf.nl gpg: Can't check signature: No public key
In summary, two expired keys were used to sign the geany 2.0 assets, and the public key required to verify the geany-plugins 2.0 assets does not seem to be available on the geany.org site.
There are also no signatures for the .zip and .tar.gz files containing the source code for both geany and geany-plugins.
With previous releases, I have also used the MD5SUM, and SHA*SUM files for additional verification.
TIA
Doug