PGP Signature

 

I digitally sign my software using GnuPG to help prove the authenticity of the software. If you want to verify the digital signature of a file such as slang-2.3.2.tar.bz2, then also download the associated detached signature file, which in this example would be slang-2.3.2.tar.bz2.asc. Then execute the following command:

    # gpg --verify slang-2.3.2.tar.bz2.asc slang-2.3.2.tar.bz2
You should see something like:
gpg: Signature made Sun 04 Mar 2018 06:24:02 PM EST
gpg:                using DSA key DE401E0D5873000A
gpg: Good signature from "John E. Davis <jed@jedsoft.org>" [unknown]
gpg:                 aka "John E. Davis <davis@space.mit.edu>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: AE96 2A02 D29B FE4A 4BB2  805F DE40 1E0D 5873 000A
You should not be alarmed if you see the warning message. This just indicates that you have not taken steps to ensure the authenticity of my signature. Note that the key's fingerprint must match my public key's fingerprint, which is given below. If you see a message such as:
gpg: Signature made Sun 04 Mar 2018 06:24:02 PM EST
gpg:                using DSA key DE401E0D5873000A
gpg: Can't check signature: No public key
then you will first need to obtain my public key and add it to your keyring. My public key may be obtained by downloading the ascii file jedavis_public_key2.asc. This file contains two public keys, an older one with the fingerprint
    AE96 2A02 D29B FE4A 4BB2  805F DE40 1E0D 5873 000A
and a newer one with the fingerprint
    6408 3373 E9E1 DE99 7EBB  E778 4B82 D0B8 2930 237D
The old key was used to sign the software released before 2020-06-01, and the newer one used after that date. To add the keys to your keyring, use
    gpg --import jedavis_public_key2.asc

This page was last updated Jun 20, 2020 by John E. Davis.
To comment on it or the material presented here, send email to jed at jedsoft org.
Valid HTML 4.01! Made with JED Viewable With Any Browser