The problem is who signs, who is not someone whose signature is expected. wget https://files.devuan.org/devuan_chimaera/Release_notes.txt -q -O - | grep -A 4 'are signed'
wget https://files.devuan.org/devuan_chimaera/installer-iso/SHA256SUMS https://files.devuan.org/devuan_chimaera/installer-iso/SHA256SUMS.asc gpg --verify SHA256SUMS.asc gpg --keyserver pgp.mit.edu --search-keys E93D7167A4F5FA9E9FED497770285BA5CF280BA4 Ralph Ronnquist (rrq) <ralph.ronnqu...@gmail.com> It would be expected that some...@devuan.org or similar, as on wget https://files.devuan.org/devuan-archive-keyring.gpg -q -O - | gpg PS: keys.gnupg.net closed down years ago (talked about here in the list when it happened), but the others (pgp.mit.edu, keys.openpgp.org,...) continue. Best regards, En viernes, 25 de febrero de 2022 19:06:27 CET, Lars Noodén via Dng <dng@lists.dyne.org> escribió: I see that the ISO images are signed. I've tried to fetch the signing key[1] again, $ gpg --keyserver keys.gnupg.net \ --recv-key E032601B7CA10BC3EA53FA81BB23C00C61FC752C $ gpg --keyserver keys.gnupg.net \ --recv-key BB23C00C61FC752C $ gpg --keyserver keys.gnupg.net \ --search-keys BB23C00C61FC752C but get an error instead with each of the above methods: gpg: keyserver receive failed: Server indicated a failure What is the current / correct location to find the public key to check the releases with? /Lars [1] https://www.devuan.org/os/keyring _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
