How VLC verifies the digital signature updates?

[Faunris]

I create my assembly VLC native and want to change the update server on its own.
I have already created the PGP keys, but do not know which system to sign all files.
Tell us what keys and signing the file describing the release and the file with the update please.

[Jean-Baptiste Kempf]

read doc/release-HOWTO.txt

[student13]

Hello, I have a question and comment relating to this thread on VLC. I have just downloaded VLC for Ubuntu.
I am having difficulty finding the string of code that you need to put into ubuntu terminal , to download the keys to
verify VLC 2.2.6 , ( May 2017 version). I will try to explain :

1. What I did
2. What I could not understand
3. What suggestions/improvements need to be made so noobs like me can understand .

1. What I did
I entered this into terminal [br]sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 6BCA5E4DB84288D9[/b]

Executing: /tmp/tmp.3jwpOcDBLW/gpg.1.sh --keyserver
keyserver.ubuntu.com
--recv-keys
6BCA5E4DB84288D9
gpg: key 6BCA5E4DB84288D9: "VideoLAN APT Signing Key <videolan@videolan.org>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

Then I tried entering this code :
gpg --verify '/home/owner/Desktop/vlc-2.2.6.tar.xz.asc' '/home/owner/Desktop/vlc-2.2.6.tar.xz.sha256'

gpg: Signature made Wed 24 May 2017 09:08:28 AM EDT
gpg: using DSA key 7180713BE58D1ADC
gpg: Can't check signature: No public key

gpg --list-keys --with-fingerprint B84288D9
gpg: error reading key: No public key



I cannot seem to download keys from the keyserver , there needs to be better instructions about this.

2. What I could not understand

Ok, this is a little too complicated for stupids like me:

Tarballs (Use a clean tree !!!)
- Use 'make distcheck' to make sure all files are exported correctly
- copy the tar.xz file on ganesh.videolan.org
- generate SHA, MD5 hashes and OpenPGP signature of these files :
for file in vlc*; do
for sum in md5 sha1 sha256; do
${sum}sum --binary $file > $file.$sum
done
gpg -sb -u VideoLAN\ Release --armor --force-v3-sigs $file
done

I could not understand this .......... If you want a good example of how to explain this look at the folloowing below

3. What a good example of explaining to people how to verify the download :


This is an EXCELLENT example of how to explain to people how to download and verify their download.

https://www.ubuntu.com/download/how-to-verify

Terminal commands and keyservers and how to list and verify them are written so the average user can understand.
Remmeber not everyone is at teh same level as developpers.


PS : does sudo apt-get install VLC, do verifications for you ???????

Thanks.

PS Je parle francais, si le daemon ou un auteur du logicel veut repondre en francais c'est correcte , merci.

[student13]

Mais, maudit, les insturction dans le txt est vraiment complex.

[student13]

BUMP

[Jean-Baptiste Kempf]

6BCA is the old key...

Use https://ftp.videolan.org/pub/keys/7180713BE58D1ADC.asc