Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Actually verify tarball against PGP signature #193

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Actually verify tarball against PGP signature #193

wants to merge 1 commit into from

Conversation

Footpad
Copy link

@Footpad Footpad commented Dec 1, 2023

This addresses #192

With only this change, gpg logs a (slightly) more promising message:

gpg: Signature made Thu 30 Mar 2023 10:28:52 PM UTC using RSA key ID ED3D1561
gpg: Can't check signature: No public key

I understand that in #74 this is the desired result as it is intentional that swiftenv will not download the public keys. It would be nice if swiftenv did have a utility to help make that easier, but I agree it doesn't need to be part of the install command.

If I then get the Swift public keys as described on Swift.org, we see a successful verification:

gpg: Signature made Mon 12 Sep 2022 07:39:56 AM UTC using RSA key ID ED3D1561
gpg: Good signature from "Swift 5.x Release Signing Key <swift-infrastructure@swift.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A62A E125 BBBF BB96 A6E0  42EC 925C C1CC ED3D 1561

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@Footpad