Quote:
When I try and verify the .sig file against the downloaded gnucash.gz file I get a warning that there is no public Key?
|
The error message means you need to get the public key.
Presumably there is also a reason sites include checksums and ask you verify the package against them.
You were the one asking how to verify packages. Perhaps you need to be more specific about what it is about the package you want to verify?
Note: tampering with software is a fundamental right in OSS/FS. Asking for untampered-with software would seem to defeat the purpose. So I imagine you are concerned about
malicious tampering?
If a distributer is concerned about things of this nature, they will usually sign the web page (ssh certificates and things of such ilk). Things you get from that web page would then come from them (with high assurance, i.e. over an ssh tunnel.) and is unlikely to be tampered with en-route.