Re: Need better release validation documentation/strategy.

[ckeader]

> For some reason key servers are not very helpful these days with some 
> of them offering distorted behavior or appearing to be severely 
> overloaded.  It may be that the key server used by default by Ubuntu 
> Linux imposes additional limitations such as regarding exposing email 
> addresses. The user might need to know how to specify a different 
> server and know which ones to use.
 
The key server network as we knew it is dead and buried, and I would not
expect any of them to provide complete or indeed reliable information.
This article explains why:
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f.
There was some discussion at the time over on gnupg-users also.

Providing the signer's pub keys on a (secured) web site seems to be the
best option for now.

The key to verifying the base64 encoded checksums is a conversion from
binary to hex and vice versa. od from coreutils and xxd from vim can be
used.

| Here are the SHA1 and SHA256 checksums:
|
| 91fa501ada319c4dc8f796208440d45a3f48ed13  gzip-1.12.tar.gz
| W0+xTTgxTgny/IocUQ581UCj6g4+ubBCAEa4LDv0EIU  gzip-1.12.tar.gz
| 318107297587818c8f1e1fbb55962f4b2897bc0b  gzip-1.12.tar.xz
| zl4D5Rn2N+H4FAEazjXE+HszwLur7sNbr1+9NHnpGVY  gzip-1.12.tar.xz

$ echo "zl4D5Rn2N+H4FAEazjXE+HszwLur7sNbr1+9NHnpGVY" |base64 -d |xxd -p |tr -d 
'\n'
base64: invalid input
ce5e03e519f637e1f814011ace35c4f87b33c0bbabeec35baf5fbd3479e91956$
$ echo "zl4D5Rn2N+H4FAEazjXE+HszwLur7sNbr1+9NHnpGVY" |base64 -d | od -A n -v -t 
x1 |tr -d ' \n'
base64: invalid input
ce5e03e519f637e1f814011ace35c4f87b33c0bbabeec35baf5fbd3479e91956$
$ sha256sum gzip-1.12.tar.xz
ce5e03e519f637e1f814011ace35c4f87b33c0bbabeec35baf5fbd3479e91956  
gzip-1.12.tar.xz
$ 

For the reverse operation, use xxd -r -p, or openssl sha256 -binary. The
"invalid input" message above is due to missing padding.

An important question has not been asked yet, IMHO - why are maintainers
using this relatively obscure method for hashing?