You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Can the docs have a amendment on how to use the .sig files to verify the integrity of a release binary?
The checksum verification is fairly straightforward:
$ cat gosec_2.19.0_checksums.txt
...
78ec94e2d726d939ac0cb77082b00528e3aec3c68f3b94b41405f21a88a06fe7 gosec_2.19.0_darwin_arm64.tar.gz
...
$ echo"78ec94e2d726d939ac0cb77082b00528e3aec3c68f3b94b41405f21a88a06fe7 gosec_2.19.0_darwin_arm64.tar.gz"| shasum -a 256 -c
gosec_2.19.0_darwin_arm64.tar.gz: OK
But it's not clear to me how to verify via the sig files:
$ gpg --verify gosec_2.19.0_darwin_arm64.tar.gz.sig gosec_2.19.0_darwin_arm64.tar.gz
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Steps to reproduce the behavior
Utilize gpg --verify [signature_file] [file]
gosec version
v2.19.0
Go version (output of 'go version')
go version go1.22.2 darwin/arm64
Operating system / Environment
macOS Sonoma 14.4.1 arm64
Expected behavior
Succesful verification
Actual behavior
gpg seems to fail to verify. The file itself is verified via the checksum.
The text was updated successfully, but these errors were encountered:
Summary
Can the docs have a amendment on how to use the .sig files to verify the integrity of a release binary?
The checksum verification is fairly straightforward:
But it's not clear to me how to verify via the sig files:
Steps to reproduce the behavior
Utilize gpg --verify [signature_file] [file]
gosec version
v2.19.0
Go version (output of 'go version')
go version go1.22.2 darwin/arm64
Operating system / Environment
macOS Sonoma 14.4.1 arm64
Expected behavior
Succesful verification
Actual behavior
gpg seems to fail to verify. The file itself is verified via the checksum.
The text was updated successfully, but these errors were encountered: