You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Just wondering whether it's a good idea to have the pubkey on the same server with the rest of the stuff.
But first things first. Please look over the output and confirm or deny the authenticity of the download.
[user#pc ~]$ rm -rf .gnupg
[user#pc ~]$ cd Downloads
[user#pc Downloads]$ gpg --verify Solus-4.4-Plasma.iso.sha256sum.sign Solus-4.4-Plasma.iso.sha256sum
gpg: directory '/home/user/.gnupg' created
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
gpg: Signature made Thu 06 Jul 2023 05:13:15 PM EEST
gpg: using RSA key F5F6685CAF5559771D9CCB92618EB3600BD32D59
gpg: issuer "releng#getsol.us"
gpg: Can't check signature: No public key
[user#pc Downloads]$ gpg --import solus-releng-pub.gpg
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key 618EB3600BD32D59: public key "Solus (Release & Engineering) <releng#getsol.us>" imported
gpg: Total number processed: 1
gpg: imported: 1
[user#pc Downloads]$ gpg --list-keys
/home/user/.gnupg/pubring.kbx
-----------------------------
pub rsa4096 2023-07-02 [SC]
F5F6685CAF5559771D9CCB92618EB3600BD32D59
uid [ unknown] Solus (Release & Engineering) <releng#getsol.us>
sub rsa4096 2023-07-02 [E]
[user#pc Downloads]$ gpg --verify Solus-4.4-Plasma.iso.sha256sum.sign Solus-4.4-Plasma.iso.sha256sum
gpg: Signature made Thu 06 Jul 2023 05:13:15 PM EEST
gpg: using RSA key F5F6685CAF5559771D9CCB92618EB3600BD32D59
gpg: issuer "releng#getsol.us"
gpg: Good signature from "Solus (Release & Engineering) <releng#getsol.us>" [unknown]
gpg: WARNING: The key's User ID is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F5F6 685C AF55 5977 1D9C CB92 618E B360 0BD3 2D59
[user#pc Downloads]$ sha256sum -c Solus-4.4-Plasma.iso.sha256sum
Solus-4.4-Plasma.iso: OK
[user#pc Downloads]$ sha256sum Solus-4.4-Plasma.iso
5b43ea5c99ed880bcf3822b1668f980b41fbc688a5cddca13aaba0c5989d4b57 Solus-4.4-Plasma.iso
[user#pc Downloads]$ b2sum Solus-4.4-Plasma.iso
669a41cffe1df715c5642b79b214dc8316d24a80d2907b8c33a4cd09f74d6305955cd1a412233d57f340eff1eb140849327e98e24dad658d82465e8cdd1a1a09 Solus-4.4-Plasma.iso
[user#pc Downloads]$```
Is that what it should look like? Much appreciated in advance.
The text was updated successfully, but these errors were encountered:
The correct key fingerprint is F5F6 685C AF55 5977 1D9C CB92 618E B360 0BD3 2D59. Which matches your output.
Just wondering whether it's a good idea to have the pubkey on the same server with the rest of the stuff.
It's not a bad idea per se (why would one piece of infra be compromised, but not another?). I do think we can store it someone else though. I'll update this task if we do.
Just wondering whether it's a good idea to have the pubkey on the same server with the rest of the stuff.
But first things first. Please look over the output and confirm or deny the authenticity of the download.
The text was updated successfully, but these errors were encountered: