Closed R44D44 closed 4 months ago
I can start adding checksums for future releases, though please note that checksums are only good for verifying if the download was corrupted.
In the unlikely event that, for example, my Github account is compromised and somebody uploads malware, the only way to know that the file is legitimate is with the digital signatures.
as said i searched for "ssh verify .sig" and similar and could not find an easy way. if you know one, maybe add it to the README.md and verifying the digital signatures
I'm not sure if there's a user friendly GUI way to do it. But the commands from the README should work on Linux, Windows, and Mac without installing anything. (Android with the Termux app should work as well, but I haven't personally tested it.)
"But the commands from the README should work on ...Windows..." well, to me its not so easy. and sorry in case it bothers you. certainly this applies to any .sig file "To verify the signature of the zip file, first retrieve the public key". first: it is not obvious to me how to retrieve it. and what to do with it second: "gpg: keyserver receive failed: No keyserver available"
Can you post a link to the README you're looking at? There shouldn't be anything related to GPG if you're looking at the latest README. That was indeed more painful and I stopped signing with GPG after BCR version 1.30.
README
i installed Gpg4win and used it unsuccessfully, also powershell with gpg --recv-key 2233C479609BDCEC43BE9232F6A3B19090EFF32C.
Yep, that's a really old version of the README. The latest one is at https://github.com/chenxiaolong/BCR and no longer involves GPG.
back to #1 [verifying the digital signatures](verifying the digital signatures does not really help me) does not really help me. "First save the public key to a file that lists which keys should be trusted." - how? where?
I pushed e5c5ebe7918ecafc7f8f3179009dfdd5abaf09b5 to try and clarify that. The command right below that line does it.
well, i am close to giving up. i dont get what you are trying to say. "The command right below that line does it." does what?
i opened powershell window in the directory where BCR-1.60-release.zip. + zip.sig are located.
i paste
echo 'bcr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDOe6/tBnO7xZhAWXRj3ApUYgn+XZ0wnQiXM8B7tPgv4' > bcr_trusted_keys
enter
no reaction
i paste ssh-keygen -Y verify -f bcr_trusted_keys -I bcr -n file -s BCR-1.60-release.zip.sig < BCR-1.60-release.zip
enter and get
At line:1 char:85
+ ... bcr_trusted_keys -I bcr -n file -s BCR-1.60-release.zip.sig < BCR-1.6 ...
+ ~
The '<' operator is reserved for future use.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : RedirectionNotSupported
You did everything right. Looks like I find a Windows machine to figure out why powershell doesn't like the command.
Got access to a Windows system. I've updated the README so that the instructions now work on Windows: https://github.com/chenxiaolong/BCR#verifying-zip-file-signature.
i used copy function of it, pasted it into powershell and got
PS D:\Eigene Dateien\pcloud\Androidessentials> echo 'bcr ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDOe6/tBnO7xZhAWXRj3ApUYgn+XZ0wnQiXM8B7tPgv4' | Out-File -Encoding ascii bcr_trusted_keys
>>
>> Start-Process -Wait -NoNewWindow -RedirectStandardInput BCR-<version>-release.zip ssh-keygen -ArgumentList "-Y verify -f bcr_trusted_keys -I bcr -n file -s BCR-<version>-release.zip.sig"
Start-Process : This command cannot be run because either the parameter "RedirectStandardInput 'D:\Eigene
Dateien\pcloud\Androidessentials\BCR-<version>-release.zip'" has a value that is not valid or cannot be used with this
command. Give a valid input and Run your command again.
At line:3 char:1
+ Start-Process -Wait -NoNewWindow -RedirectStandardInput BCR-<version> ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Start-Process], FileNotFoundException
+ FullyQualifiedErrorId : FileNotFoundException,Microsoft.PowerShell.Commands.StartProcessCommand
why dont you just post additional checksums as you said 3 weeks ago testing code starts to annoy me.
hi, after searching half an hour for an easy way to verify your releases via .sig file, i'd like to suggest to post some checksums @ the release page as well. thank you. the README.md and verifying the digital signatures does not really help me.