[Geany-Users] VerifyingDownloadedGeanyAndPlugins

Frank Lanitz frank at xxxxx
Fri Aug 21 20:48:10 UTC 2020



On 21.08.20 19:14, Geoff Kaniuk wrote:
> The report from several posts on stack exchange for gpg verification
> seem to suggest that first time round things do fail.
> 
> I have now run:
> ~$ gpg --verify geany-1.36.tar.gz.sig geany-1.36.tar.gz
> gpg: Signature made Sat 28 Sep 2019 13:50:49 BST
> gpg:                using RSA key ACA0246889FB96B63382111724CCD8550E5D1CAE
> gpg: Good signature from "Colomban Wendling <ban at ban.netlib.re>" [expired]
> gpg:                 aka "Colomban Wendling <ban at herbesfolles.org>"
> [expired]
> gpg:                 aka "Colomban Wendling
> <lists.ban at herbesfolles.org>" [expired]
> gpg: Note: This key has expired!
> Primary key fingerprint: ACA0 2468 89FB 96B6 3382  1117 24CC D855 0E5D 1CAE
> ~$ echo $?
> 0
> 
> Given that I have received a "Good Signature" message and a return code
> of zero, I guess the file is perfect?

Yepp. Only it was done with a key that is not valid anymore. It's up to
you whether you still trust it or not.

> The md5sum for the plugins also checks out OK.

We should ban md5 to somewhere far far far away :D

.f


More information about the Users mailing list