How to verify the integrity of julia download?

New to Julia
1

The problem is I can’t get the public keys.
Here are my tries:

  1. gpg --keyserver hkp://pgp.mit.edu:80 --recv-key 0x09788F1E
    output:
    gpg: keyserver receive failed: No keyserver available

  2. gpg --auto-key-locate nodefault,wkd --locate-keys pgp-public-keys@pgp.mit.edu
    output:

gpg: error retrieving 'pgp-public-keys@pgp.mit.edu' via WKD: No data
gpg: error reading key: No data
  1. gpg --keyserver http://pgp.mit.edu:80 --recv-key 0x09788F1E
    output:
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

What to do get that key?

2

Did you see the “Download Verification” section at Download Julia ?

Here’s the direct link to the key:
https://julialang.org/assets/juliareleases.asc

3

can you give the exact gpg command to import the key from the file and verify it?
I figured it out. Here’s the output:

gpgv: Signature made Friday 23 April 2021 11:16:56 PM IST
gpgv:                using RSA key 3673DF529D9049477F76B37566E3C7DC03D6E495
gpgv:                issuer "buildbot@julialang.org"
gpgv: Good signature from "Julia (Binary signing key) <buildbot@julialang.org>"

verification(gpg --verify julia-1.6.1-linux-x86_64.tar.gz.asc julia-1.6.1-linux-x86_64.tar.gz) output:

gpg: Signature made Friday 23 April 2021 11:16:56 PM IST
gpg:                using RSA key 3673DF529D9049477F76B37566E3C7DC03D6E495
gpg:                issuer "buildbot@julialang.org"
gpg: Good signature from "Julia (Binary signing key) <buildbot@julialang.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3673 DF52 9D90 4947 7F76  B375 66E3 C7DC 03D6 E495
1 Like