Broken verification instructions

Question

Broken verification instructions

sebbASF opened this issue a year ago · 2 comments

The verification instructions at
https://github.com/apache/incubator-pekko-site/blob/4f171bca3915c06ee5964e9edf35966e4dec323a/content/download.html#L286
and
https://github.com/apache/incubator-pekko-site/blob/4f171bca3915c06ee5964e9edf35966e4dec323a/content/download.html#L292

are unnecessarily complicated, and will not work in all situations.

Using 'find' may result in applying the command to additional unrelated downloads, depending on where the files are downloaded. It will only work correctly if the files are in a leaf directory with no other hashes or sigs. Find by default traverses all nested directories. Also Windows has a completely different 'find' command.

In addition, safe GPG verification requires both artifact and signature to be provided on the command line [1].

[1] https://www.apache.org/info/verification.html#CheckingSignatures

Answer 1 · 2024-03-18T08:54:48.000Z

I have updated the instuctions - see https://pekko.apache.org/download.html#verifying-downloads

Answer 2 · 2024-03-18T15:15:12.000Z

Thanks, but the first gpg example is unsafe, as it does not include both the signature and the artifact - see the page I linked above.
It should please be removed.