Dear Krita developers,
I would like to verify my windows installer download using your signature file and pgp public key.
But https://download.kde.org/stable/krita/ only has the checksums to verify the checksum of the installer.
Can you fine people add signature file too? I see other downloads have signature files for them.
Also, is this the pgp public key to use in verification? https://files.kde.org/krita/dmitry_kazakov.gpg
Or if I am mis-understanding something please let me know too but this is how I verify all open source software that enables user with the correct info.
Thank you!
Hello @KritaArt3983, and welcome to the forum!
I can’t tell you exactly why there is no signature for Krita’s Windows versions, but if I remember it correctly, they are not provided because they were never requested.
In the world of Windows, most of the users seem to be less safety/security aware.
For me that is not such a big issue, because I’m usually directly downloading from the build server infrastructure which for me is safe enough, and when release builds are created, then I can also find a documenting file in the huge build archive which contains a hash for the installer in these archives, but that was not PGP but SHA-512 or something in that direction.
Michelist
1 Like
Hello Michelist and thank you for your response.
I am weird and security focused even on Windows. I do check the checksums which is better than nothing and I’m thankful for. Hope one day signature file and pgp public key can also be released with installer. (or maybe I misunderstand something)
Hi, @KritaArt3983!
The binaries on Windows are signed by the KDE’s key using Microsoft’s binary verification system, so (at least binaries) are protected. That was actually the reason why we never signed the Windows packages.
1 Like
Hello dkazakov,
Thank you for taking the time to explain to me.