pjfanning
commented
7 months ago I have updated the instuctions - see https://pekko.apache.org/download.html#verifying-downloads
Open sebbASF opened 7 months ago
pjfanning
commented
7 months ago I have updated the instuctions - see https://pekko.apache.org/download.html#verifying-downloads
sebbASF
commented
7 months ago Thanks, but the first gpg example is unsafe, as it does not include both the signature and the artifact - see the page I linked above. It should please be removed.
The verification instructions at https://github.com/apache/incubator-pekko-site/blob/4f171bca3915c06ee5964e9edf35966e4dec323a/content/download.html#L286 and https://github.com/apache/incubator-pekko-site/blob/4f171bca3915c06ee5964e9edf35966e4dec323a/content/download.html#L292
are unnecessarily complicated, and will not work in all situations.
Using 'find' may result in applying the command to additional unrelated downloads, depending on where the files are downloaded. It will only work correctly if the files are in a leaf directory with no other hashes or sigs. Find by default traverses all nested directories. Also Windows has a completely different 'find' command.
In addition, safe GPG verification requires both artifact and signature to be provided on the command line [1].
[1] https://www.apache.org/info/verification.html#CheckingSignatures