Sorry, it was the last option "I'm doing something stupid" :) The package was signed with a sub key which I missed.
Kind regards, Martijn Brinkers On 11-11-19 14:19, Martijn Brinkers wrote: > Hi, > > I downloaded the latest RC release from the provided link > > https://github.com/roundcube/roundcubemail/releases/download/1.4.0/roundcubemail-1.4.0.tar.gz > > I then downloaded the signature > > https://github.com/roundcube/roundcubemail/releases/download/1.4.0/roundcubemail-1.4.0.tar.gz.asc > > When I try to validate the signature gpg tells me: > > gpg --verify roundcubemail-1.4.0.tar.gz.asc > gpg: assuming signed data in 'roundcubemail-1.4.0.tar.gz' > gpg: Signature made za 09 nov 2019 21:30:45 CET > gpg: using RSA key 8970E37A698AF775D87D590DC2946A9609CD56B4 > gpg: issuer "[email protected]" > > > This shows that the signer has the key id: > > 8970E37A698AF775D87D590DC2946A9609CD56B4 > > However according to the website the (short) key ID should be: > > 41C4F7D5 > > The download link for the signing key > (https://roundcube.net/download/pubkey.asc) matches the above short key id: > > F3E4C04BB3DB5D4215C45F7F5AB2BAA141C4F7D5 > > So either the packages have been signed with a different roundcube devs > key or the packages have been modified (or I'm doing something stupid :) > > Any idea? > > > Kind regards, > > Martijn Brinkers > _______________________________________________ Roundcube Users mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/users
