Re: [Announce] GnuPG 2.1.17 released
On 20.12.2016, Christoph Moench-Tegeder wrote: > Or is that just me and a local issue? Most probably. For me, it works: [htd@chiara Downloads]$ gpg --verify gnupg-2.1.17.tar.bz2.sig gnupg-2.1.17.tar.bz2 gpg: Signature made Tue 20 Dec 2016 14:59:50 CET using RSA key ID 4F25E3B6 gpg: Good signature from "Werner Koch (dist sig)" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.1.17 released
On Tue, 20 Dec 2016 13:46, c...@burggraben.net said: > I believe there's something wrong with the signature of the latest > release. Sorry, my fault. To create the signature I use gpg -sbvu SIGNINGKEY gnupg-2.1.17.tar.bz2 Today I forgot the -b and thus a non-detached signature was created (suffix .gpg). After realizing that I fixed that but probably I did gpg -sbvu SIGNINGKEY gnupg-2.1.17.tar.bz2.gpg which is obviously wrong. Then I copied gnupg-2.1.17.tar.bz2{,.sig} to the final locations. The end result is that the detached signature was over a binary signed tarball and not over the plain tarball. I can't prove that anymore because I deleted the .gpg files before I noticed that the signature were wrong. Before you ask: Yes, I should add a make target for signing. Actually I did this for the Windows installer's yesterday. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpoSaGpiid56.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.1.17 released
## Christoph Moench-Tegeder (c...@burggraben.net): > This fails: > gpg: Signature made Tue Dec 20 11:33:11 2016 CET Since then, this has been fixed: gpg: Signature made Tue Dec 20 14:59:50 2016 CET gpg:using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: Good signature from "Werner Koch (dist sig)" [unknown] Note the newer timestamp. Also, HTTP reports that the signature has been replaced: "Last-Modified: Tue, 20 Dec 2016 14:05:28 GMT" (Almost) everything is fine, Christoph -- Spare Space ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.1.17 released
Hi, Christoph Moench-Tegeder: > Hi, > > I believe there's something wrong with the signature of the latest > release. > > ## Werner Koch (w...@gnupg.org): > >> * If you already have a version of GnuPG installed, you can simply >>verify the supplied signature. For example to verify the signature >>of the file gnupg-2.1.17.tar.bz2 you would use this command: >> >> gpg --verify gnupg-2.1.17.tar.bz2.sig gnupg-2.1.17.tar.bz2 > > This fails: > gpg: Signature made Tue Dec 20 11:33:11 2016 CET > gpg:using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 > gpg: BAD signature from "Werner Koch (dist sig)" [unknown] > using the command --recv-keys you have to retrieve the key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 from keyservers and then do the --verify again. If it's still BAD SIGNATURE then, you'll have a good reason for opening a new thread. :-) Note that you cannot verify a signature of a gnupg tarball if you do not have a (previous) version of gpg installed. In this case, you can only check the checksum, or use another system with gpg installed for verifying. Do not verify the signature using the gpg version you just downloaded. Well, that's all part of the text of the usual announce mail posted on this very list. Cheers Stephan signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.1.17 released
On 12/20/2016 04:21 PM, Daniel Baur wrote: > PS: What’s “public key algorithm 22”? Elliptic Curves, specifically, EdDSA (in this case the warning is likely related to a signature on the key used for verification that is using Ed25519 which can't be verified by your client application) -- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 Nulla regula sine exceptione No rule without exception signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.1.17 released
Hello, Am 20.12.2016 um 13:46 schrieb Christoph Moench-Tegeder: > SHA1 (gnupg-2.1.17.tar.bz2) = d83ab893faab35f37ace772ca29b939e6a5aa6a7 > SHA1 (gnupg-2.1.17.tar.bz2.sig) = 34cea3e6d139cb340bf14f04ff217cb6960cf36d > > Or is that just me and a local issue? it works for me (see below), but the sig-file I downloaded has another hash (dfdfe72c4dd7e10bef283d25fa365cfa022305de) than yours, so maybe there was an issue and it is fixed already? Sincerely, DaB. PS: What’s “public key algorithm 22”? -- snip --- 16:15:39dab@dabpc:/tmp$ LC_ALL=C gpg2 -v gnupg-2.1.17.tar.bz2.sig :signature packet: algo 1, keyid 249B39D24F25E3B6 version 4, created 1482242390, md5len 0, sigclass 0x00 digest algo 8, begin of digest d8 f7 hashed subpkt 33 len 21 (?) hashed subpkt 2 len 4 (sig created 2016-12-20) subpkt 16 len 8 (issuer key ID 249B39D24F25E3B6) data: [2046 bits] gpg: assuming signed data in 'gnupg-2.1.17.tar.bz2' gpg: Signature made Tue Dec 20 14:59:50 2016 CET gpg:using RSA key 0x249B39D24F25E3B6 gpg: can't handle public key algorithm 22 gpg: using PGP trust model gpg: key 0x2D3EE2D42B255885: accepted as trusted key gpg: Good signature from "Werner Koch (dist sig)" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 gpg: binary signature, digest algorithm SHA256 -- snap --- signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.1.17 released
Hi, I believe there's something wrong with the signature of the latest release. ## Werner Koch (w...@gnupg.org): > * If you already have a version of GnuPG installed, you can simply >verify the supplied signature. For example to verify the signature >of the file gnupg-2.1.17.tar.bz2 you would use this command: > > gpg --verify gnupg-2.1.17.tar.bz2.sig gnupg-2.1.17.tar.bz2 This fails: gpg: Signature made Tue Dec 20 11:33:11 2016 CET gpg:using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: BAD signature from "Werner Koch (dist sig)" [unknown] But the SHA1 hash of the release tarball matches the one in the release announcement. I downloaded directly from gnupg.org. For reference, the hashes of the release file and the signature (as downloaded here) are: SHA1 (gnupg-2.1.17.tar.bz2) = d83ab893faab35f37ace772ca29b939e6a5aa6a7 SHA1 (gnupg-2.1.17.tar.bz2.sig) = 34cea3e6d139cb340bf14f04ff217cb6960cf36d Or is that just me and a local issue? Regards, Christoph -- Spare Space ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users