Hi! I am not sure how you imported that key to your gpg keyring. The message 'Can't check signature: No public key" means you do not have the named DSA key in your keyring. I downloaded the source and signature files and then did this:
gpg --keyserver pool.sks-keyservers.net --recv-keys F48CA81B69A85873 which resulted in gpg: key F48CA81B69A85873: 3 duplicate signatures removed gpg: key F48CA81B69A85873: 1 signature reordered gpg: key F48CA81B69A85873: public key "Joerg Wunsch <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1 With Joerg's key now in my keyring, I proceeded to verify: gpg --verify avrdude-6.3.tar.gz.sig avrdude-6.3.tar.gz which resulted in gpg: Signature made Tue 16 Feb 2016 05:02:43 PM EST gpg: using DSA key F48CA81B69A85873 gpg: Good signature from "Joerg Wunsch <[email protected]>" [unknown] gpg: aka "Joerg Wunsch <[email protected]>" [unknown] gpg: aka "Joerg Wunsch <[email protected]>" [unknown] gpg: aka "Joerg Wunsch <[email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 5E84 F980 C3CA FD4B B584 1070 F48C A81B 69A8 5873 As long as I see the text 'good signature from', I'm happy, and consider the tarball to be verified. As a note, I'm not sure how active avrdude is as a project now. There has not been an update since 2016. It has been a while since I've used avrdude myself. I've used it in the past and I like it. I'm very rusty these days. Read the documentation that exists and good luck to you! Thanks so much Bob Cochran On Wed, Mar 31, 2021 at 10:05 AM <[email protected]> wrote: > I downloaded avrdude-6.3.tar.gz and avrdude-6.3.tar.gz.sig from > https://download.savannah.gnu.org/releases/avrdude/, tried to verify and > got this: > > gpg: assuming signed data in 'avrdude-6.3.tar.gz' > gpg: Signature made Tue 16 Feb 2016 10:02:43 PM UTC > gpg: using DSA key F48CA81B69A85873 > gpg: key F48CA81B69A85873: new key but contains no user ID - skipped > gpg: Total number processed: 1 > gpg: w/o user IDs: 1 > gpg: Can't check signature: No public key > > I also found https://github.com/facchinm/avrdude/releases but nothing > there is signed. What should I do now? It's important for me to build from > source and I'd much prefer it to be signed. > > >
