I was able to verify it with the .sig from gnu.org ftp, along with the info
at http://ftp.gnu.org/ about where to obtain the gnu-keyring.gpg file.
A suggestion... In addition to making sure the .sig is copied to your
mirrors, I recommend including the gnu-keyring.gpg info (from
http://ftp.gnu.org) at http://gcc.gnu.org/mirrors.html instead of just
saying "The archives on these mirrors will be signed by one of the following
GnuPG keys: ..." and listing the fingerprints (but not providing the actual
keys).
One more thing... 4.8.0 was signed with an expired key:
$ gpg --verify --keyring ./gnu-keyring.gpg ./gcc-4.8.0.tar.gz.sig
gpg: Signature made Fri 22 Mar 2013 08:32:29 AM CDT using DSA key ID
C3C45C06
gpg: Good signature from "Jakub Jelinek "
gpg: Note: This key has expired!
Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29 3709 A328 C3A2
C3C4 5C06
Also, I am about to submit a bug ("internal compiler error") I found in
4.8.0/4.8.1, which of course clang has no problem with.
-Original Message-
From: Tobias Burnus [mailto:bur...@net-b.de]
Sent: Monday, April 29, 2013 5:25 PM
To: Scott Baldwin
Cc: gcc@gcc.gnu.org
Subject: Re: How am I supposed to verify gcc-4.8.0 download when you provide
no .sig file?...
Am 29.04.2013 22:14, schrieb Scott Baldwin:
> Just downloaded 4.8.0 from one of your mirror sites listed at
> [http://gcc.gnu.org/mirrors.html] and would like to verify the file
> with GPG.
>
> Your site says "The archives there will be signed by one of the
> following GnuPG keys...", but I see no .sig/.asc file on the mirror
> sites (or in the package itself), so how am I supposed to verify the file,
exactly?
Interestingly, the .sig files are only on the GNU server, e.g.
http://ftp.gnu.org/gnu/gcc/gcc-4.8.0/
but not on the GCC server, e.g.
ftp://gcc.gnu.org/pub/gcc/releases/gcc-4.8.0/
As the latter is used by the mirrors, it is also not available on the
mirrors.
Tobias
