On Tue, 20 Dec 2016 13:46, c...@burggraben.net said:

> I believe there's something wrong with the signature of the latest
> release.

Sorry, my fault.  To create the signature I use

  gpg -sbvu SIGNINGKEY gnupg-2.1.17.tar.bz2

Today I forgot the -b and thus a non-detached signature was created
(suffix .gpg).  After realizing that I fixed that but probably I did

  gpg -sbvu SIGNINGKEY gnupg-2.1.17.tar.bz2.gpg

which is obviously wrong.  Then I copied gnupg-2.1.17.tar.bz2{,.sig} to
the final locations.  The end result is that the detached signature was
over a binary signed tarball and not over the plain tarball.  I can't
prove that anymore because I deleted the .gpg files before I noticed
that the signature were wrong.

Before you ask: Yes, I should add a make target for signing.  Actually I
did this for the Windows installer's yesterday.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

Attachment: pgpoSaGpiid56.pgp
Description: PGP signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to