How to verify downloads
To verify that a downloaded file is not corrupted, download the
*.checksums.txt corresponding to the download you want to verify.
Then run
sha256 -c file_you_downloaded
In adition one can verify the download is authentic by checking its
signature. One can either validate the checksum file which contains a self
contained signature or alternatively validate the downloaded file directly
using the separate *.asc file.
To verify via the checksum file do
gpg2 --verify file_you_downloaded.checksums.txt
To verify via the signature file do
gpg2 --verify file_you_downloaded.asc file_you_downloaded
Should you miss the public key matching the signature (that's expected and normal the first time one validates a download) import the respective key from the list of Keys of the releasers.
Keys of the releasers
The following people have released and signed files on rakudo.org. You are encouraged, to not just download the keys from here, but cross-check the keys / fingerprints with other sources. Devs are encouraged to list their fingerprints at least on their GitHub profile.
- Justin DeVuyst
- Fingerprint:
59E6 3473 6AFD CF9C 6DBA C382 602D 51EA CA88 7C01 - Key: justin_devuyst-59E634736AFDCF9C6DBAC382602D51EACA887C01.asc
- GitHub
- Fingerprint:
- Patrick Böker
- Fingerprint:
DB2B A39D 1ED9 67B5 84D6 5D71 C09F F113 BB64 10D0 - Key: patrick_boeker-DB2BA39D1ED967B584D65D71C09FF113BB6410D0.asc
- Homepage
- GitHub
- Fingerprint:
- Rakudo GitHub automation
- Fingerprint:
3E7E 3C6E AF91 6676 AC54 9285 A291 9382 E961 E2EE - Key: rakudo_github_automation-3E7E3C6EAF916676AC549285A2919382E961E2EE.asc
- Fingerprint:
- Alexander Kiryuhin
- Fingerprint:
FE75 0D15 2426 F3E5 0953 176A DE8F 8F5E 97A8 FCDE - Key: alexander_kiryuhin-FE750D152426F3E50953176ADE8F8F5E97A8FCDE.asc
- GitHub
- Fingerprint: