As stated in
https://docs.gitea.io/en-us/install-from-binary/
there’s a way to verify the binary. That’s waht I attempt here, but it fails.
On a linux box I do
wget -O gitea https://dl.gitea.io/gitea/1.9.3/gitea-1.9.3-linux-amd64
resulting in a gitea binary. When I try to verify it, I got to download the key first:
gpg --keyserver pgp.mit.edu --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
I either get
gpg: keyserver receive failed: No data
Ok, keyserver not willing to respond. I’ll try again. When I finally succeed it says
gpg: key 2D9AE806EC1592E2: 5 signatures not checked due to missing keys
gpg: key 2D9AE806EC1592E2: public key “Teabot teabot@gitea.io” imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
Sounds good, but there’s no keyfile writte to my directory?
- The binary to verify I got from the download is named “gitea”, not “gitea-1.9.3-linux-amd64”? Is that ok?
- There’s no keyfile “gitea-1.9.3-linux-amd64.asc” ?
Anyways. Do I have that key in my keyring now?
gpg --list-keys
uid [ unknown] Teabot <teabot@gitea.io>
sub rsa4096 2018-06-24 [E] [expires: 2020-06-23]
sub rsa4096 2018-06-24 [S] [expires: 2020-06-26]
Ok, let’s export it and verify:
gpg --export -a “Teabot” > public.key
gpg --verify public.key gitea
gpg: verify signatures failed: Unexpected error
What’s wrong? I put down the whole process of how I obtained and exported the key, because I’m not too familiar with the process and the installation instructions cannot be followed through literally.