Re: having trouble checking the signature of a downloaded file

2018-02-22 Thread Kristian Fiskerstrand
On 02/22/2018 11:13 PM, Kristian Fiskerstrand wrote: > On 02/22/2018 11:03 PM, Henry wrote: >> 2018-02-21 20:56 GMT+09:00 Kristian Fiskerstrand >> : >>> On 02/21/2018 11:53 AM, Peter Lebbing wrote: >>> Touché :) Indeed, didn't notice it was an old

Re: having trouble checking the signature of a downloaded file

2018-02-22 Thread Kristian Fiskerstrand
On 02/22/2018 11:03 PM, Henry wrote: > 2018-02-21 20:56 GMT+09:00 Kristian Fiskerstrand > : >> On 02/21/2018 11:53 AM, Peter Lebbing wrote: >> Touché :) Indeed, didn't notice it was an old file/signature , then >> gnupg 1.4 is the recommended official

Re: having trouble checking the signature of a downloaded file

2018-02-22 Thread Henry
2018-02-21 20:56 GMT+09:00 Kristian Fiskerstrand : > On 02/21/2018 11:53 AM, Peter Lebbing wrote: > Touché :) Indeed, didn't notice it was an old file/signature , then > gnupg 1.4 is the recommended official suggestion presuming established > validity of

Re: having trouble checking the signature of a downloaded file

2018-02-21 Thread Kristian Fiskerstrand
On 02/21/2018 11:53 AM, Peter Lebbing wrote: > On 21/02/18 10:48, Kristian Fiskerstrand wrote: >>>gpg: Signature made Tue May 4 23:03:11 2004 JST >> [...] >> >> The author should sign the package using a more modern and secure keyblock. > Note that not the key, but the /signature/ is made 14

Re: having trouble checking the signature of a downloaded file

2018-02-21 Thread Peter Lebbing
On 21/02/18 11:53, Peter Lebbing wrote: > The > author might not be available anymore or willing to expend any effort. (Or the author might not have a more authentic copy of the file anymore either. This is not the reason I'm self-replying though). > This all comes with a major caveat. Make

Re: having trouble checking the signature of a downloaded file

2018-02-21 Thread Peter Lebbing
On 21/02/18 10:48, Kristian Fiskerstrand wrote: >>gpg: Signature made Tue May 4 23:03:11 2004 JST > [...] > > The author should sign the package using a more modern and secure keyblock. Note that not the key, but the /signature/ is made 14 years ago. So we're talking about verifying the

Re: having trouble checking the signature of a downloaded file

2018-02-21 Thread Kristian Fiskerstrand
On 02/21/2018 10:37 AM, Henry wrote: > I downloaded a tarball ***6.4.tar.gz, it's signature file > ***6.4.tar.gz.sig, and the author's public key **.pgp from a > well-known site. > > I imported the public key: `gpg --import **.pgp`. > For some reason, two keys were "skipped": >gpg:

having trouble checking the signature of a downloaded file

2018-02-21 Thread Henry
I downloaded a tarball ***6.4.tar.gz, it's signature file ***6.4.tar.gz.sig, and the author's public key **.pgp from a well-known site. I imported the public key: `gpg --import **.pgp`. For some reason, two keys were "skipped": gpg: key 0C0B590E80CA15A7: 2 signatures not checked due to