Verify Maddy signature

[superpestro]

How can I verify "releases/download/v0.7.1/maddy-0.7.1-src.tar.zst" using "releases/download/v0.7.1/maddy-0.7.1-src.tar.zst.sig"? I'm getting gpg errors. Sorry if it's a stupid question!

[foxcpp]

Release artifacts are signed using PGP key 3197BBD95137E682A59717B434BB2007081396F4, available at public key server openpgp.org: https://keys.openpgp.org/vks/v1/by-fingerprint/3197BBD95137E682A59717B434BB2007081396F4
You need to download and import the key using gpg --import command. Then you should be able to run the verification command e.g. gpg --verify maddy-0.7.1-src.tar.zst.sig.

Possible output:

gpg: assuming signed data in 'maddy-0.7.1-src.tar.zst'
gpg: Signature made Wed Jan 24 00:39:00 2024 MSK
gpg:                using EDDSA key FEAAFB6CEB3713B86EA36D5F5B991F6215D2FCC0
gpg: Good signature from "Max Mazurov <fox.cpp@disroot.org>" [unknown]    <------ Signature is valid.
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3197 BBD9 5137 E682 A597  17B4 34BB 2007 0813 96F4
     Subkey fingerprint: FEAA FB6C EB37 13B8 6EA3  6D5F 5B99 1F62 15D2 FCC0

[superpestro]

Thanks a lot!

I was missing the --keyserver argument. I run the following commands and everything was OK:

$ gpg --keyserver hkps://keys.openpgp.org/ --recv-keys 3197BBD95137E682A59717B434BB2007081396F4
$ gpg --verify maddy-0.7.1-src.tar.zst.sig
gpg: assuming signed data in 'maddy-0.7.1-src.tar.zst'
gpg: Signature made mar 23 ene 2024 22:39:00 CET
gpg:                using EDDSA key FEAAFB6CEB3713B86EA36D5F5B991F6215D2FCC0
gpg: Good signature from "Max Mazurov <fox.cpp@disroot.org>" [unknown]

I hope this could be helpful for other people.