bug#55666: enhancement request - SHA-256 for emacs downloads

unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed

From: Eli Zaretskii <eliz@gnu.org>
To: Ali Elshishini <shishini@outlook.com>, Corwin Brust <corwin@bru.st>
Cc: larsi@gnus.org, 55666@debbugs.gnu.org
Subject: bug#55666: enhancement request - SHA-256 for emacs downloads
Date: Sat, 28 May 2022 09:15:23 +0300	[thread overview]
Message-ID: <83czfymbd0.fsf@gnu.org> (raw)
In-Reply-To: <BL0PR1901MB4676C79F8C3637A844934BB4DBDB9@BL0PR1901MB4676.namprd19.prod.outlook.com> (message from Ali Elshishini on Sat, 28 May 2022 00:43:28 +0000)

> From: Ali Elshishini <shishini@outlook.com>
> CC: "55666@debbugs.gnu.org" <55666@debbugs.gnu.org>
> Date: Sat, 28 May 2022 00:43:28 +0000
> 
> Thanks for pointing out the announcement email
> Unfortunately it doesn't include the SHA hashes for the windows files 

You never said in your original message that this is about the Windows
binaries.

The Windows precompiled binaries are produced by volunteers who are
only loosely associated with the Emacs project.  The project releases
Emacs as source tarballs, and the SHA checksums for that are in the
announcement.  I've CC'ed Corwin, who produced the latest binaries of
Emacs 28.1.

For the Windows binaries, providing the SHA checksums is entirely up
to the person(s) who makes the binaries available.

> Also verify the signature on windows I am not sure if this is the expected output
> for me look like it failed 
> 
> >From command line
> 
> PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --keyserver keyserver.ubuntu.com --recv-keys
> 17E90D521672C04631B1183EE78DAE0F3115E06B 
> gpg: key E78DAE0F3115E06B: "Eli Zaretskii <eliz@gnu.org>" not changed
> gpg: Total number processed: 1
> gpg:              unchanged: 1
> PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --verify .\emacs-28.1.zip.sig
> gpg: assuming signed data in '.\emacs-28.1.zip'
> gpg: Signature made 2022-04-21 4:11:30 PM Eastern Daylight Time
> gpg:                using RSA key ECE77CF417C76C1ACFCE7C2B5B6135511580F007
> gpg: Can't check signature: No public key
> PS C:\downloads>

You are using the wrong GPG key: my key was used to sign the source
tarballs, not the Windows binary zip files.  The Windows binaries were
signed by Corwin Brust's key as the Download page says.  You need to
fetch that key, not mine.

> I think adding the SHA hashes somewhere remains a valuable addition
> using and verifying signature on windows is more complicated than it needs to be

That may be so, but this activity is based on volunteers doing this on
their free time.  We can only ask them to do what their time and
resources allow.

next prev parent reply	other threads:[~2022-05-28  6:15 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-26 17:47 bug#55666: enhancement request - SHA-256 for emacs downloads Ali Elshishini
2022-05-27 10:59 ` Lars Ingebrigtsen
2022-05-27 11:46   ` Ali Elshishini
2022-05-29  7:42     ` Corwin Brust
2022-05-29 17:08       ` Ali Elshishini
2022-05-29 18:53         ` Corwin Brust
2022-05-29 19:46           ` Ali Elshishini
2022-05-27 12:28   ` Eli Zaretskii
2022-05-28  0:43     ` Ali Elshishini
2022-05-28  6:15       ` Eli Zaretskii [this message]
2022-05-28 17:14         ` Ali Elshishini
2022-05-28 19:06           ` Eli Zaretskii
2022-05-28 19:17             ` Ali Elshishini
2022-05-28 19:27               ` Eli Zaretskii
2022-05-28 20:31                 ` Ali Elshishini
2022-05-28 22:09                   ` Corwin Brust

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=83czfymbd0.fsf@gnu.org \
    --to=eliz@gnu.org \
    --cc=55666@debbugs.gnu.org \
    --cc=corwin@bru.st \
    --cc=larsi@gnus.org \
    --cc=shishini@outlook.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).