|
From: | Ali Elshishini |
Subject: | bug#55666: enhancement request - SHA-256 for emacs downloads |
Date: | Sat, 28 May 2022 00:43:28 +0000 |
Hi Eli
Thanks for pointing out the announcement email
Unfortunately it doesn't include the SHA hashes for the windows files Also verify the signature on windows I am not sure if this is the expected output for me look like it failed >From command line PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --keyserver keyserver.ubuntu.com --recv-keys 17E90D521672C04631B1183EE78DAE0F3115E06B gpg: key E78DAE0F3115E06B: "Eli Zaretskii <eliz@gnu.org>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --verify .\emacs-28.1.zip.sig
gpg: assuming signed data in '.\emacs-28.1.zip'
gpg: Signature made 2022-04-21 4:11:30 PM Eastern Daylight Time
gpg: using RSA key ECE77CF417C76C1ACFCE7C2B5B6135511580F007
gpg: Can't check signature: No public key
PS C:\downloads>>From UI I think adding the SHA hashes somewhere remains a valuable addition using and verifying signature on windows is more complicated than it needs to be
Ali Regards From: Eli Zaretskii <eliz@gnu.org>
Sent: May 27, 2022 8:28 AM To: Lars Ingebrigtsen <larsi@gnus.org> Cc: shishini@outlook.com <shishini@outlook.com>; 55666@debbugs.gnu.org <55666@debbugs.gnu.org> Subject: Re: bug#55666: enhancement request - SHA-256 for emacs downloads > Cc: 55666@debbugs.gnu.org
> From: Lars Ingebrigtsen <larsi@gnus.org> > Date: Fri, 27 May 2022 12:59:25 +0200 > > Ali Elshishini <shishini@outlook.com> writes: > > > May you please include a list of SHA-256 hashes for the downloads in > > https://www.gnu.org/software/emacs/download.html > > > > This will provide an easy and secure way to verify downloads > > Please note that the experience to verify the signature on windows is very poor > > and it for me at least ended up with the file nor being verified because of missing > > public key > > > > A SHA-256 hash will be a simple solution > > That would require people to edit that web page every time they generate > a package, which would be error prone and require too much work of the > people who build the packages. > > The packages are signed, which I think should be more than sufficient, > so I'm closing this bug report. In addition, one can find the SHA values in the announcements made on info-gnu-emacs. Here's the one about Emacs 28.1: https://lists.gnu.org/archive/html/info-gnu-emacs/2022-04/msg00000.html You can similarly search for announcements of the older releases. |
[Prev in Thread] | Current Thread | [Next in Thread] |