[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-bash] How to use files like bash-5.0.tar.gz.sig?
|
From: |
Eric Blake |
|
Subject: |
Re: [Help-bash] How to use files like bash-5.0.tar.gz.sig? |
|
Date: |
Mon, 21 Jan 2019 11:30:38 -0600 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 |
On 1/20/19 11:36 AM, Peng Yu wrote:
> Hi,
>
> I see files like this. I think that it is to check the integrity of
> the source file downloaded. Is it? How to use it? Why not just use a
> checksum?
A GPG signature is more reliable than a checksum (there are research
papers out there proving that it is comparatively easier to come up with
two distinct images that have the same checksum than it is to come up
with two distinct images that pass GPG's signature checking).
>
> bash-5.0.tar.gz.sig
Download both bash-5.0.tar.gz and the .sig file into the same directory,
then run:
$ gpg --verify bash-5.0.tar.gz.sig
to learn if gpg can validate that your copy of bash-5.0.tar.gz is
byte-wise accurate to the one that Chet signed as being authentic.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
signature.asc
Description: OpenPGP digital signature