undefined | Better HN

0 pointsfulafel10y ago0 comments

They GPG-sign the cryptographic checksums, see the .gpg files. If you don't verify the GPG sig, with Canonical's signing key obtained out of band, the checksum by itself is pretty useless as you describe.

PS. anyone know of a CLI download tool that supports this format of GPG signatures?

edit: why the downvotes for the parent? it's a fine question

0 comments

1 comments · 1 top-level

blueblob10y ago

`gpg` is a command line tool for verifying these signatures and it is what `apt-key verify` uses in it's backend. you can download the signatures with `curl` or `wget`

j / k navigate · click thread line to collapse