Signatures

From RevaWiki

From release 6.0.12 and later, the distributions are signed with both Ron's GPG key and an MD5 signature.

The reason for this is that you, the downloader, can verify that the distribution zip file is intact, and that it was in fact created by Ron.

To verify the file is intact, you will want to use "md5sum" or a similar utility:

 md5sum distro.zip

or

 gpg --print-mds distro.zip

or use the following Reva code (in examples directory from version 6.0.13 onward):

needs crypt/md5

: do1file ( n -- )
    argv 2dup slurp over >r
    md5 type space type cr
    r> free 
    ;
: dofiles argc 1 do i do1file loop ;
 
with~ ~sys
' dofiles is appstart
without~

." Generating MD5 executable... "
" md5" makeexename (save) ." done!" bye

Compare the printed MD5 sum with the value listed on the web-page.

To verify that the file is the one Ron created, you first need to have GNU Privacy Guard (gpg), which is free for download and runs on many different systems.

Next, you will want to import Ron's GPG key as linked above:

 gpg --import ronkey.asc

When you have "gpg", and have downloaded both the distro and its associated signature file, you may verify the distro like this:

 gpg --verify distro.zip.asc distro.zip

If everything is fine, you should see something like:

 gpg: Signature made Thu 21 Sep 2006 10:32:11 PM PDT using DSA key ID AD29415D
 gpg: Good signature from "Ron Aaron <ron@ronware.org>"