This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

RE: How am I supposed to verify gcc-4.8.0 download when you provide no .sig file?...

From: "Scott Baldwin" <scottbaldwin at gmail dot com>
To: "'Tobias Burnus'" <burnus at net-b dot de>
Cc: <gcc at gcc dot gnu dot org>
Date: Mon, 29 Apr 2013 19:35:24 -0500
Subject: RE: How am I supposed to verify gcc-4.8.0 download when you provide no .sig file?...
References: <01ec01ce4516$256ab3f0$70401bd0$ at com> <517EF358 dot 7070206 at net-b dot de>

I was able to verify it with the .sig from gnu.org ftp, along with the info
at http://ftp.gnu.org/ about where to obtain the gnu-keyring.gpg file.

A suggestion... In addition to making sure the .sig is copied to your
mirrors, I recommend including the gnu-keyring.gpg info (from
http://ftp.gnu.org) at http://gcc.gnu.org/mirrors.html instead of just
saying "The archives on these mirrors will be signed by one of the following
GnuPG keys: ..." and listing the fingerprints (but not providing the actual
keys).

One more thing... 4.8.0 was signed with an expired key:

	$ gpg --verify --keyring ./gnu-keyring.gpg ./gcc-4.8.0.tar.gz.sig
	gpg: Signature made Fri 22 Mar 2013 08:32:29 AM CDT using DSA key ID
C3C45C06
	gpg: Good signature from "Jakub Jelinek <jakub@redhat.com>"
	gpg: Note: This key has expired!
	Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29  3709 A328 C3A2
C3C4 5C06

Also, I am about to submit a bug ("internal compiler error") I found in
4.8.0/4.8.1, which of course clang has no problem with.


-----Original Message-----
From: Tobias Burnus [mailto:burnus@net-b.de] 
Sent: Monday, April 29, 2013 5:25 PM
To: Scott Baldwin
Cc: gcc@gcc.gnu.org
Subject: Re: How am I supposed to verify gcc-4.8.0 download when you provide
no .sig file?...

Am 29.04.2013 22:14, schrieb Scott Baldwin:
> Just downloaded 4.8.0 from one of your mirror sites listed at 
> [http://gcc.gnu.org/mirrors.html] and would like to verify the file 
> with GPG.
>
> Your site says "The archives there will be signed by one of the 
> following GnuPG keys...", but I see no .sig/.asc file on the mirror 
> sites (or in the package itself), so how am I supposed to verify the file,
exactly?

Interestingly, the .sig files are only on the GNU server, e.g.
   http://ftp.gnu.org/gnu/gcc/gcc-4.8.0/
but not on the GCC server, e.g.
   ftp://gcc.gnu.org/pub/gcc/releases/gcc-4.8.0/

As the latter is used by the mirrors, it is also not available on the
mirrors.

Tobias

References:
- How am I supposed to verify gcc-4.8.0 download when you provide no .sig file?...
  - From: Scott Baldwin
- Re: How am I supposed to verify gcc-4.8.0 download when you provide no .sig file?...
  - From: Tobias Burnus

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]