[CMake] GPG-Verifying the integrity of a CMake release: BAD signature from "Brad King"
Brad King
brad.king at kitware.com
Mon May 9 12:48:02 EDT 2016
On 05/09/2016 11:11 AM, Konrad Kleine wrote:
> ADD https://cmake.org/files/v3.5/cmake-3.5.2-Linux-x86_64.tar.gz /tmp
> ADD https://cmake.org/files/v3.5/cmake-3.5.2-SHA-256.txt /tmp
> ADD https://cmake.org/files/v3.5/cmake-3.5.2-SHA-256.txt.asc /tmp
[snip]
> # Verify the integrity of the downloaded cmake tarball against Brad King's key
> RUN gpg --verbose --verify /tmp/cmake*.asc /tmp/cmake*.tar.gz
The "cmake-3.5.2-SHA-256.txt.asc" file is a signature of the SHA-256 summary
file "cmake-3.5.2-SHA-256.txt". You need to check that signature:
$ curl -O https://cmake.org/files/v3.5/cmake-3.5.2-SHA-256.txt
$ curl -O https://cmake.org/files/v3.5/cmake-3.5.2-SHA-256.txt.asc
$ gpg --verbose --verify cmake-3.5.2-SHA-256.txt.asc cmake-3.5.2-SHA-256.txt
...
gpg: Good signature from "Brad King"
...
Then check that the SHA-256 matches the binary:
$ curl -O https://cmake.org/files/v3.5/cmake-3.5.2-Linux-x86_64.tar.gz
$ grep "$(shasum -a 256 cmake-3.5.2-Linux-x86_64.tar.gz)" cmake-3.5.2-SHA-256.txt
5f7aeaebe33521647625e0411467de71a2886743e4aa2c179e04c9e141c6c8cd cmake-3.5.2-Linux-x86_64.tar.gz
-Brad
More information about the CMake
mailing list