xiaoxiang781216 commented on pull request #1382: URL: https://github.com/apache/incubator-nuttx/pull/1382#issuecomment-658925450
> You can do > > ``` > curl https://dist.apache.org/repos/dist/dev/incubator/nuttx/KEYS | gpg --import > ``` > So the user have to import KEYS manually. > That will import any public keys used by the project for signing. Currently it just contains mine but others would be appended if used. > But this does do the check already. So maybe I don't understand what you are asking for? Yes, the script will call gpg, but gpg complain the sign mismatch if user doesn't import KEY yet(most people don't know how to do this). Does it make sense that checkrelease.sh download KEY files too and pass them to gpg directly? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
