Trac is being migrated to new services! Issues can be found in our new
YouTrack instance and WIKI pages can be found on our
website.
- Timestamp:
-
Sep 20, 2012, 4:40:40 AM (11 years ago)
- Author:
-
datallah
- Comment:
-
Add more details about who signs the tarballs and how to verify it; remove RPM references; make readonly.
Legend:
- Unmodified
- Added
- Removed
- Modified
-
|
v2
|
v3
|
|
| 1 | | Yes, all packages are signed. The signature for the tarball and bzip2 archive are provided by separate downloads. The RPMs we provide are signed by either Ethan Blanton, Mark Doliner, or Stu Tomlinson. Usually the Mandrake RPMs are signed by, Mark Doliner, the Fedora Core RPMs are signed by Stu Tomlinson, and the Red Hat 8 and 9 RPMs are signed by Ethan Blanton. The keys can be obtained from any key server. http://pgp.mit.edu/ is popular. |
| | 1 | == Source Tarballs == |
| | 2 | The source tarballs (`pidgin-$VERSION.tar.gz` and `pidgin-$VERSION.tar.bz2`) are signed with [http://www.gnupg.org/ GPG] by on of the following people: |
| | 3 | ||'''Signer'''||'''Key Signature'''|| |
| | 4 | ||Mark Doliner||`4C292FCC`|| |
| | 5 | ||Ethan Blanton||`771FC72B`|| |
| | 6 | ||Stu Tomlinson||`A9464AA9`|| |
| 2 | 7 | |
| 3 | | There is a less extensive answer to this question at [wiki:"Installing Pidgin#ArethepackagessignedIfsobywhomandhowcanIgetthekey"]. Either this one or the other one should be removed. |
| | 8 | The signatures for the source tarballs (`pidgin-$VERSION.tar.gz` and `pidgin-$VERSION.tar.bz2`) are provided as separate `$FILENAME.asc` downloads from the same sourceforge download directory. |
| | 9 | |
| | 10 | You can verify a tarball by downloading both the tarball and its corresponding .asc file: |
| | 11 | {{{ |
| | 12 | gpg --verify $FILENAME.asc |
| | 13 | }}} |
| | 14 | If you haven't already imported the key that was used to sign the tarballs, you'll get a message about an unknown key when you attempt to verify; you'll need to import one of the above key signatures from a public keyserver (e.g. pgp.mit.edu): |
| | 15 | {{{ |
| | 16 | gpg --keyserver pgp.mit.edu --recv-key $KEYSIGNATURE |
| | 17 | }}} |
| | 18 | |
| | 19 | You can read more about how the signing and verification works in the [http://www.gnupg.org/gph/en/manual.html GPG Handbook]. |
| | 20 | |
| | 21 | === Windows Installers === |
| | 22 | As of Pidgin 2.10.7, the Windows installers are signed using the [http://msdn.microsoft.com/en-us/library/ms537361(v=vs.85).aspx Microsoft Authenticode] signing mechanism by Daniel Atallah using a key with a thumbprint of `C5476901C3C63FABF54CEBA9E3F887932A9579B5`. |
| | 23 | |
| | 24 | The signature can be verified most easily by using Windows Explorer to look at the Properties of the installer executable. |
| | 25 | In the "Digital Signatures" tab, you can look at the Details of the signature, "View Certificate", and compare the (case-insensitive, whitespace-insensitive) "Thumbprint" value in the "Details" tab to the value listed above.[[Image(windows_cert_verify_thumbprint.jpg)]] |
| | 26 | |
| | 27 | Alternatively, the signature can be verified using Microsoft's `signtool.exe` utility (which, unfortunately, in order to obtain, requires that you install the at least parts of Microsoft Platform SDK). |
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!
