I want to install Cygwin-64 ,when i go to download page ,some information tells me: Run setup-x86_64.exe any time you want to update or install a Cygwin package for 64-bit windows. The signature for setup-x86_64.exe can be used to verify the validity of this binary using this public key.
Installing and Updating Cygwin Packages
How can i verify the validity of this binary using this public key?How to write the command in cmd ?
First, import the key with:
gpg --import pubring.asc
gpg --list-keys
Now you can verify this signature against your list of public keys:
gpg --verify setup-x86_64.exe.sig setup-x86_64.exe
gpg --import pubring.asc (as in @elsamuko's answer) searches for the key in the hkp://keys.gnupg.net keyserver (the default in the ~/.gnupg/gpg.conf file). sometimes that server+key combo doesn't seem to work though.
hence, as suggested by unSpawn and/or @user1686, the alternative is to retrieve the key from a different server... say http://keyserver.ubuntu.com/, for instance. thus:
$ gpg --keyserver keyserver.ubuntu.com --recv 1a698de9e2e56300
$ gpg --list-keys
$ gpg --keyid-format=long --with-fingerprint --verify setup-x86_64.exe.sig setup-x86_64.exe
gpg: Signature made Thu Feb 17 22:01:07 2022 GMT
gpg: using DSA key A9A262FF676041BA
gpg: Can't check signature: public key not found
gpg: Signature made Thu Feb 17 22:01:07 2022 GMT
gpg: using RSA key 1A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5640 5CF6 FCC8 1574 682A 5D56 1A69 8DE9 E2E5 6300
... does the trick!.
please follow this interesting discussion is you feel icky about the WARNING message.
