swiftenv icon indicating copy to clipboard operation
swiftenv copied to clipboard

Published 20 hours ago verified publisher icon kylef

Actually verify tarball against PGP signature

Open Footpad opened this issue 1 year ago • 1 comments

This addresses #192

With only this change, gpg logs a (slightly) more promising message:

gpg: Signature made Thu 30 Mar 2023 10:28:52 PM UTC using RSA key ID ED3D1561
gpg: Can't check signature: No public key

I understand that in https://github.com/kylef/swiftenv/pull/74 this is the desired result as it is intentional that swiftenv will not download the public keys. It would be nice if swiftenv did have a utility to help make that easier, but I agree it doesn't need to be part of the install command.

If I then get the Swift public keys as described on Swift.org, we see a successful verification:

gpg: Signature made Mon 12 Sep 2022 07:39:56 AM UTC using RSA key ID ED3D1561
gpg: Good signature from "Swift 5.x Release Signing Key <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A62A E125 BBBF BB96 A6E0  42EC 925C C1CC ED3D 1561

Footpad avatar Dec 01 '23 05:12 Footpad

hello @kylef, just drawing your attention to this.

swiftanon avatar Jul 23 '24 15:07 swiftanon