Karl Berry <[email protected]> writes:
> I signed it. I'm one of the listed admins of the automake group on
> savannah (https://savannah.gnu.org/projects/automake/), so I don't know
> what you mean by "from the automake group". Jim is still the official
> automake maintainer, but my key was added as an allowed uploader since
> (unfortunately) he doesn't have much time for automake any more.
> gpg --verify automake-1.18.tar.xz.sig works for me.
Using the GPG keyring from Savannah [1]:
$ gpg --import automake-keyring.gpg
gpg: key 7FD9FCCB000BEEEE: 434 signatures not checked due to missing keys
gpg: key 7FD9FCCB000BEEEE: public key "Jim Meyering <[email protected]>"
imported
gpg: key 9DEB46C0D679F6CF: 2 signatures not checked due to missing keys
gpg: key 9DEB46C0D679F6CF: public key "Karl Berry <[email protected]>"
imported
gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
gpg: (use option "--allow-weak-key-signatures" to override)
gpg: key 0716748A30D155AD: 1 bad signature
gpg: key 0716748A30D155AD: public key "Karl Berry <[email protected]>"
imported
gpg: Total number processed: 3
gpg: imported: 3
gpg: no ultimately trusted keys found
$ gpg --verify automake-1.18.tar.xz.sig
gpg: assuming signed data in 'automake-1.18.tar.xz'
gpg: Signature made Tue May 27 13:47:11 2025 PDT
gpg: using RSA key 17D3311B14BC0F248267BF020716748A30D155AD
gpg: Good signature from "Karl Berry <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 17D3 311B 14BC 0F24 8267 BF02 0716 748A 30D1 55AD
Seems fine to me as well.
[1] https://savannah.gnu.org/project/release-gpgkeys.php?group=automake
