On 02/21/2018 10:37 AM, Henry wrote:
> I downloaded a tarball ***6.4.tar.gz, it's signature file
> ***6.4.tar.gz.sig, and the author's public key ******.pgp from a
> well-known site.
>
> I imported the public key: `gpg --import ******.pgp`.
> For some reason, two keys were "skipped":
> gpg: key 0C0B590E80CA15A7: 2 signatures not checked due to missing keys
> gpg: key 0C0B590E80CA15A7: "Author's Name <aut...@xxxxxx.org>
> gpg: Total number processed: 3
> gpg: skipped PGP-2 keys: 2
^^^^^^^^^^^^^^^^^^^^^
note this and see below> gpg: unchanged: 1 > > I tried to verify the downloaded file, but the check failed: > `gpg --verify ***6.4.tar.gz.sig ***6.4.tar.gz` > gpg: Signature made Tue May 4 23:03:11 2004 JST > gpg: using RSA key DC80F2A6D5327CB9 > gpg: Can't check signature: No public key > The above RSA key is in v3 format which is not supported in GnuPG >=2.1 for security reasons, hence not imported, and hence the output you see. > This is the first time for this to happen, so I have no idea what I > might be doing > wrong. Any help or suggestions much appreciated. TIA The author should sign the package using a more modern and secure keyblock. -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- Aut disce aut discede Either learn or leave
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
