On Sunday, 25 March 2018 at 14:13:41 UTC, Ali wrote:
(Note: the individual keys in the keyring are currently
expired and we are working on rolling out a new keyring, but
that doesn't affect yverifying the existing signatures.)
while you are at it, also add a sha1 or a sh256 checksum, i
think it will work better to verify the download
Sha1 or sha256 can't be verified automatically, because it
requires you to download the checksum from the same source.
They can be used if you have checked the authenticity in another
way, but if dlang.org is compromised the attacker would also
change the checksums, but he can't change your local, verified
keyring.
For this reason, it's common for Linux distro to sign their
packages:
https://wiki.archlinux.org/index.php/Pacman/Package_signing
https://wiki.debian.org/SecureApt
