GNU bug report logs - #55666
enhancement request - SHA-256 for emacs downloads

Previous Next

Package: emacs;

Reported by: Ali Elshishini <shishini <at> outlook.com>

Date: Thu, 26 May 2022 20:27:02 UTC

Severity: wishlist

Tags: wontfix

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

Message #24 received at 55666 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Ali Elshishini <shishini <at> outlook.com>, Corwin Brust <corwin <at> bru.st>
Cc: larsi <at> gnus.org, 55666 <at> debbugs.gnu.org
Subject: Re: bug#55666: enhancement request - SHA-256 for emacs downloads
Date: Sat, 28 May 2022 09:15:23 +0300

> From: Ali Elshishini <shishini <at> outlook.com>
> CC: "55666 <at> debbugs.gnu.org" <55666 <at> debbugs.gnu.org>
> Date: Sat, 28 May 2022 00:43:28 +0000
> 
> Thanks for pointing out the announcement email
> Unfortunately it doesn't include the SHA hashes for the windows files 

You never said in your original message that this is about the Windows
binaries.

The Windows precompiled binaries are produced by volunteers who are
only loosely associated with the Emacs project.  The project releases
Emacs as source tarballs, and the SHA checksums for that are in the
announcement.  I've CC'ed Corwin, who produced the latest binaries of
Emacs 28.1.

For the Windows binaries, providing the SHA checksums is entirely up
to the person(s) who makes the binaries available.

> Also verify the signature on windows I am not sure if this is the expected output
> for me look like it failed 
> 
> >From command line
> 
> PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --keyserver keyserver.ubuntu.com --recv-keys
> 17E90D521672C04631B1183EE78DAE0F3115E06B 
> gpg: key E78DAE0F3115E06B: "Eli Zaretskii <eliz <at> gnu.org>" not changed
> gpg: Total number processed: 1
> gpg:              unchanged: 1
> PS C:\downloads> C:\"Program Files (x86)"\GnuPG\bin\gpg --verify .\emacs-28.1.zip.sig
> gpg: assuming signed data in '.\emacs-28.1.zip'
> gpg: Signature made 2022-04-21 4:11:30 PM Eastern Daylight Time
> gpg:                using RSA key ECE77CF417C76C1ACFCE7C2B5B6135511580F007
> gpg: Can't check signature: No public key
> PS C:\downloads>

You are using the wrong GPG key: my key was used to sign the source
tarballs, not the Windows binary zip files.  The Windows binaries were
signed by Corwin Brust's key as the Download page says.  You need to
fetch that key, not mine.

> I think adding the SHA hashes somewhere remains a valuable addition
> using and verifying signature on windows is more complicated than it needs to be

That may be so, but this activity is based on volunteers doing this on
their free time.  We can only ask them to do what their time and
resources allow.
This bug report was last modified 2 years and 359 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.