Re: [Help-bash] How to use files like bash-5.0.tar.gz.sig?

[Peng Yu]

> You haven't downloaded Chet's key, then.  This will download it
> (assuming your gpg installation is set up to point to typical public
> keyservers already):
>
> $ gpg --recv-keys 0xBB5869F064EA74AB
>
> Then, depending on your level of paranoia, and how many GPG key-signing
> parties you have participated in, you will either have to just assume
> that you did indeed get Chet's public key, or you will be able to rely
> on the GPG web-of-trust to trace between keys you have signed back
> through people who have in turn signed Chet's key.  But proper GPG
> signing is a topic all its own, and further questions about it will
> probably be answered more definitively on lists dedicated to GPG than on
> this list.

Indeed, it still needs more steps. But since .sig is offered along
with bash source package, shouldn't be there an instruction showing
the complete set of commands about how to use .sig for users with
little background on gpg?

$ gpg --recv-keys 0xBB5869F064EA74AB
gpg: key BB5869F064EA74AB: 3 duplicate signatures removed
gpg: key BB5869F064EA74AB: 8 signatures not checked due to missing keys
gpg: /Users/pengy/.gnupg/trustdb.gpg: trustdb created
gpg: key BB5869F064EA74AB: public key "Chet Ramey <address@hidden>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg --verify bash-5.0.tar.gz.sig
gpg: assuming signed data in 'bash-5.0.tar.gz'
gpg: Signature made Mon Jan  7 07:58:19 2019 CST
gpg:                using DSA key 7C0135FB088AAF6C66C650B9BB5869F064EA74AB
gpg: Good signature from "Chet Ramey <address@hidden>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7C01 35FB 088A AF6C 66C6  50B9 BB58 69F0 64EA 74AB

-- 
Regards,
Peng