On Tue, Apr 16, 2013 at 4:01 AM, jn <johns...@gmail.com> wrote: > I do not seem to be able to verify the PGP signature for > ossec-wui-0.3.tar.gz > It appears to me that the available public key is different from the one > used to > sign the archive. > > It appears to me that the sig was made w/ 6B30327E, > but OSSEC-PGP-KEY.asc is A3901351 > > Am I missing something here? > What am I doing wrong? >
It's super old code, it was probably signed with the old key. > > root@host:~/working# wget -q > http://www.ossec.net/files/ossec-wui-0.3-checksum.txt > root@host:~/working# cat ossec-wui-0.3-checksum.txt > MD5 (ossec-wui-0.3.tar.gz) = c79fa486e9a20fb06a517541033af304 > SHA1 (ossec-wui-0.3.tar.gz) = e00bff680721982ee55295a5292eb4e2a638b820 > > root@host:~/working# md5sum ossec-wui-0.3.tar.gz > c79fa486e9a20fb06a517541033af304 ossec-wui-0.3.tar.gz > > root@host:~/working# sha1sum ossec-wui-0.3.tar.gz > e00bff680721982ee55295a5292eb4e2a638b820 ossec-wui-0.3.tar.gz > > root@host:~/working# wget -q http://www.ossec.net/files/OSSEC-PGP-KEY.asc > root@host:~/working# gpg --import OSSEC-PGP-KEY.asc > gpg: key A3901351: public key "Daniel B. Cid <d...@ossec.net>" imported > gpg: Total number processed: 1 > gpg: imported: 1 (RSA: 1) > > root@host:~/working# gpg --verify ossec-wui-0.3.tar.gz.sig > gpg: Signature made Tue 04 Mar 2008 12:27:59 PM CST using RSA key ID > 6B30327E > gpg: Can't check signature: public key not found > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.