unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
From: Ali Elshishini <shishini@outlook.com>
To: Eli Zaretskii <eliz@gnu.org>, Lars Ingebrigtsen <larsi@gnus.org>
Cc: "55666@debbugs.gnu.org" <55666@debbugs.gnu.org>
Subject: bug#55666: enhancement request - SHA-256 for emacs downloads
Date: Sat, 28 May 2022 00:43:28 +0000	[thread overview]
Message-ID: <BL0PR1901MB4676C79F8C3637A844934BB4DBDB9@BL0PR1901MB4676.namprd19.prod.outlook.com> (raw)
In-Reply-To: <835ylrnor3.fsf@gnu.org>


[-- Attachment #1.1: Type: text/plain, Size: 2598 bytes --]

Hi Eli

Thanks for pointing out the announcement email
Unfortunately it doesn't include the SHA hashes for the windows files

Also verify the signature on windows I am not sure if this is the expected output
for me look like it failed

From command line

PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --keyserver keyserver.ubuntu.com --recv-keys 17E90D521672C04631B1183EE78DAE0F3115E06B
gpg: key E78DAE0F3115E06B: "Eli Zaretskii <eliz@gnu.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --verify .\emacs-28.1.zip.sig
gpg: assuming signed data in '.\emacs-28.1.zip'
gpg: Signature made 2022-04-21 4:11:30 PM Eastern Daylight Time
gpg:                using RSA key ECE77CF417C76C1ACFCE7C2B5B6135511580F007
gpg: Can't check signature: No public key
PS C:\downloads>

From UI

[cid:ffde0eec-a938-43f4-acc5-c100d4e99514]

I think adding the SHA hashes somewhere remains a valuable addition
using and verifying signature on windows is more complicated than it needs to be

Regards
Ali

________________________________
From: Eli Zaretskii <eliz@gnu.org>
Sent: May 27, 2022 8:28 AM
To: Lars Ingebrigtsen <larsi@gnus.org>
Cc: shishini@outlook.com <shishini@outlook.com>; 55666@debbugs.gnu.org <55666@debbugs.gnu.org>
Subject: Re: bug#55666: enhancement request - SHA-256 for emacs downloads

> Cc: 55666@debbugs.gnu.org
> From: Lars Ingebrigtsen <larsi@gnus.org>
> Date: Fri, 27 May 2022 12:59:25 +0200
>
> Ali Elshishini <shishini@outlook.com> writes:
>
> > May you please include a list of SHA-256 hashes for the downloads in
> > https://www.gnu.org/software/emacs/download.html
> >
> > This will provide an easy and secure way to verify downloads
> > Please note that the experience to verify the signature on windows is very poor
> > and it for me at least ended up with the file nor being verified because of missing
> > public key
> >
> > A SHA-256 hash will be a simple solution
>
> That would require people to edit that web page every time they generate
> a package, which would be error prone and require too much work of the
> people who build the packages.
>
> The packages are signed, which I think should be more than sufficient,
> so I'm closing this bug report.

In addition, one can find the SHA values in the announcements made on
info-gnu-emacs.  Here's the one about Emacs 28.1:

  https://lists.gnu.org/archive/html/info-gnu-emacs/2022-04/msg00000.html

You can similarly search for announcements of the older releases.

[-- Attachment #1.2: Type: text/html, Size: 4592 bytes --]

[-- Attachment #2: image.png --]
[-- Type: image/png, Size: 18749 bytes --]

  reply	other threads:[~2022-05-28  0:43 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-26 17:47 bug#55666: enhancement request - SHA-256 for emacs downloads Ali Elshishini
2022-05-27 10:59 ` Lars Ingebrigtsen
2022-05-27 11:46   ` Ali Elshishini
2022-05-29  7:42     ` Corwin Brust
2022-05-29 17:08       ` Ali Elshishini
2022-05-29 18:53         ` Corwin Brust
2022-05-29 19:46           ` Ali Elshishini
2022-05-27 12:28   ` Eli Zaretskii
2022-05-28  0:43     ` Ali Elshishini [this message]
2022-05-28  6:15       ` Eli Zaretskii
2022-05-28 17:14         ` Ali Elshishini
2022-05-28 19:06           ` Eli Zaretskii
2022-05-28 19:17             ` Ali Elshishini
2022-05-28 19:27               ` Eli Zaretskii
2022-05-28 20:31                 ` Ali Elshishini
2022-05-28 22:09                   ` Corwin Brust

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=BL0PR1901MB4676C79F8C3637A844934BB4DBDB9@BL0PR1901MB4676.namprd19.prod.outlook.com \
    --to=shishini@outlook.com \
    --cc=55666@debbugs.gnu.org \
    --cc=eliz@gnu.org \
    --cc=larsi@gnus.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).