On 12/16/19 1:08 PM, Good Guy via Boost-users wrote:

On 16/12/2019 17:15, David P. Riedel via Boost-users wrote:

...

Hi

I'm trying to find the boost public pgp key so I can validate the release archive against its signature file.

But I can't find where to import the public key from or what it is called.

Thanks for any help. Where are you downloading from?  I have seen asc files at this link:

https://dl.bintray.com/boostorg/release/1.72.0/source/

Yes, I've downloaded the .7z archive and the .7z.asc signature file But when I do: gpg --verify using the signature and archive file names, gpg says it can't because I don't have the public key, hence my question. Thanks

On 16/12/2019 20:34, Good Guy via Boost-users wrote:

You can verify using this:

sha256":"25db3956a8d58187ac7a0702cc917e9bab47ff90baafc35e4e789dca1ce5f423"

You get this code from the json file available at the same link provided above.

Sorry the correct sha256 latest version is this: { "sha256":"247a91dd7e4d9dd3c4b954b532fbc167ba62dc15ab834e5ad893d7c3f9eb5f0f", "file":"boost_1_72_0.7z", "commit":"789155d431930ebef4766550ed7bd09f62eac714" } The json file is this: https://dl.bintray.com/boostorg/release/1.72.0/source/boost_1_72_0.7z.json -- With over 1.2 billion devices now running Windows 10, customer satisfaction is higher than any previous version of windows.

On 12/16/19 3:55 PM, Rene Rivera via Boost-users wrote:

On Mon, Dec 16, 2019 at 12:39 PM David P. Riedel via Boost-users mailto:boost-users@lists.boost.org> wrote:

On 12/16/19 1:08 PM, Good Guy via Boost-users wrote: > On 16/12/2019 17:15, David P. Riedel via Boost-users wrote: >> Hi >> >> I'm trying to find the boost public pgp key so I can validate the >> release archive against its signature file. >> >> But I can't find where to import the public key from or what it is >> called. >> >> Thanks for any help. > Where are you downloading from?  I have seen asc files at this link: > > https://dl.bintray.com/boostorg/release/1.72.0/source/ > > > Yes, I've downloaded the .7z archive and the .7z.asc signature file

But when I do:  gpg --verify using the signature and archive file names, gpg says it can't because I don't have the public key, hence my question.

The archives are signed against the Bintray general key. I don't have a link handy to it ATM though.

-- -- Rene Rivera -- Grafik - Don't Assume Anything -- Robot Dreams - http://robot-dreams.net http://robot-dreams.net/

_______________________________________________ Boost-users mailing list Boost-users@lists.boost.org https://lists.boost.org/mailman/listinfo.cgi/boost-users

Thanks! the gpg --verify command which failed said the archive was signed using RSA key 379CE192D401AB61. I tried a gpg --search-keys with that ID and found the Bintray entry which I could then import. gpg --verify then did complain that the imported key was untrusted so there must be some additional step needed for this to be useful.