On 21.08.20 19:14, Geoff Kaniuk wrote:
The report from several posts on stack exchange for gpg verification seem to suggest that first time round things do fail.
I have now run: ~$ gpg --verify geany-1.36.tar.gz.sig geany-1.36.tar.gz gpg: Signature made Sat 28 Sep 2019 13:50:49 BST gpg: using RSA key ACA0246889FB96B63382111724CCD8550E5D1CAE gpg: Good signature from "Colomban Wendling ban@ban.netlib.re" [expired] gpg: aka "Colomban Wendling ban@herbesfolles.org" [expired] gpg: aka "Colomban Wendling lists.ban@herbesfolles.org" [expired] gpg: Note: This key has expired! Primary key fingerprint: ACA0 2468 89FB 96B6 3382 1117 24CC D855 0E5D 1CAE ~$ echo $? 0
Given that I have received a "Good Signature" message and a return code of zero, I guess the file is perfect?
Yepp. Only it was done with a key that is not valid anymore. It's up to you whether you still trust it or not.
The md5sum for the plugins also checks out OK.
We should ban md5 to somewhere far far far away :D
.f