Hi Lee, The point is the GPG key found on the net-snmp website has the wrong key.
I can quite easily download the key off the keyserver but the point is not that someone signed the package using some random key uploaded to a keyserver, but it was signed by the correct key. For better or worse, the only way of determining the correct key is to trust the net-snmp website which says "we use this key". - Craig On Fri, 30 Nov. 2018, 08:44 Lee <ler...@gmail.com wrote: > On 11/27/18, Craig Small <csm...@debian.org> wrote: > > Hi, > > The 5.8 tarball is signed with one key and the GPG key available on > your > > website is another. > > I assume that its just you using a new key, but for now I won't be > updating > > the Debian packages until I'm sure they're ok. > > Maybe you need to refresh your keys? > $ gpg --refresh-keys "Net-SNMP Administrators > <net-snmp-adm...@lists.sourceforge.net>" > > All these show as expired > > $ gpg net-snmp-admin.asc > > gpg: WARNING: no command supplied. Trying to guess what you mean ... > > pub dsa1024 2003-01-15 [SCA] [expired: 2006-01-14] > > F8AAF6915F859170B6E14DCFACCB65FD7800FEAC > > uid Net-SNMP Administrators <net-snmp-ad...@lists.sourceforge.net> > > sub elg1024 2003-01-15 [E] [expired: 2006-01-14] > > pub dsa1024 2006-01-17 [SC] [expired: 2009-01-16] > > 2B118A084EAAA4F068D9DB80D433A441FFEF09D7 > > uid Net-SNMP Administrators <net-snmp-ad...@lists.sourceforge.net> > > sub elg4096 2006-01-17 [E] [expired: 2009-01-16] > > pub dsa1024 2008-07-18 [SC] [expired: 2011-07-18] > > A3D28987986266F80C577A5F945B5DBA317F8F64 > > uid Net-SNMP Administrators <net-snmp-adm...@lists.sourceforge.net> > > sub elg4096 2008-07-18 [E] [expired: 2011-07-18] > > pub rsa4096 2011-06-02 [SC] [expired: 2014-06-01] > > 8AAA779B597B405BBC329B6376CF47B8A77C5329 > > uid Net-SNMP Administrators <net-snmp-ad...@lists.sourceforge.net> > > sub rsa4096 2011-06-02 [E] [expired: 2014-06-01] > > I have a non-expired one in my keyring: > $ gpg --list-keys "Net-SNMP Administrators > <net-snmp-adm...@lists.sourceforge.net>" > pub 1024D/0x945B5DBA317F8F64 2008-07-18 [expired: 2011-07-18] > Key fingerprint = A3D2 8987 9862 66F8 0C57 7A5F 945B 5DBA 317F 8F64 > uid Net-SNMP Administrators > <net-snmp-adm...@lists.sourceforge.net> > > pub 4096R/0x7D5F9576E0F81533 2014-07-23 [expired: 2017-07-22] > Key fingerprint = 27CA A4A3 2E37 1383 A33E D058 7D5F 9576 E0F8 1533 > uid Net-SNMP Administrators > <net-snmp-adm...@lists.sourceforge.net> > > pub 4096R/0xF07B9D2DACB19FD6 2017-10-29 [expires: 2022-10-28] > Key fingerprint = D0F8 F495 DA61 60C4 4EFF BF10 F07B 9D2D ACB1 9FD6 > uid Net-SNMP Administrators > <net-snmp-adm...@lists.sourceforge.net> > sub 4096R/0x830BDF8C2945FFAC 2017-10-29 [expires: 2022-10-28] > > > which verifies: > $ gpg --verify net-snmp-5.8.tar.gz.asc net-snmp-5.8.tar.gz > gpg: Signature made Mon, Jul 16, 2018 10:33:52 AM EDT > gpg: using RSA key 0xF07B9D2DACB19FD6 > gpg: Good signature from "Net-SNMP Administrators > <net-snmp-adm...@lists.sourceforge.net>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: D0F8 F495 DA61 60C4 4EFF BF10 F07B 9D2D ACB1 9FD6 > > > > $ gpg --verify net-snmp-5.8.tar.gz.asc net-snmp-5.8.tar.gz > > gpg: Signature made Tue 17 Jul 2018 00:33:52 AEST > > gpg: using RSA key F07B9D2DACB19FD6 > > gpg: Can't check signature: No public key > > -- > > Craig Small https://dropbear.xyz/ csmall at : > dropbear.xyz > > Debian GNU/Linux https://www.debian.org/ csmall at : debian.org > > Mastodon: @smalls...@social.dropbear.xyz Twitter: @smallsees > > GPG fingerprint: 5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5 > > Lee >
_______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
