Re: Can't verify avrdude-6.3.tar.gz

Hi!

I am not sure how you imported that key to your gpg keyring. The message 'Can't check signature: No public key" means you do not have the named DSA key in your keyring. I downloaded the source and signature files and then did this:

gpg --keyserver pool.sks-keyservers.net --recv-keys F48CA81B69A85873

which resulted in

gpg: key F48CA81B69A85873: 3 duplicate signatures removed

gpg: key F48CA81B69A85873: 1 signature reordered

gpg: key F48CA81B69A85873: public key "Joerg Wunsch <j@uriah.heep.sax.de>" imported

gpg: Total number processed: 1

gpg: imported: 1

With Joerg's key now in my keyring, I proceeded to verify:

gpg --verify avrdude-6.3.tar.gz.sig avrdude-6.3.tar.gz

which resulted in

gpg: Signature made Tue 16 Feb 2016 05:02:43 PM EST

gpg: using DSA key F48CA81B69A85873

gpg: Good signature from "Joerg Wunsch <j@uriah.heep.sax.de>" [unknown]

gpg: aka "Joerg Wunsch <joerg@FreeBSD.org>" [unknown]

gpg: aka "Joerg Wunsch <j@ida.interface-business.de>" [unknown]

gpg: aka "Joerg Wunsch <joerg_wunsch@interface-systems.de>" [unknown]

gpg: WARNING: This key is not certified with a trusted signature!

gpg: There is no indication that the signature belongs to the owner.

Primary key fingerprint: 5E84 F980 C3CA FD4B B584 1070 F48C A81B 69A8 5873

As long as I see the text 'good signature from', I'm happy, and consider the tarball to be verified.

As a note, I'm not sure how active avrdude is as a project now. There has not been an update since 2016. It has been a while since I've used avrdude myself. I've used it in the past and I like it. I'm very rusty these days. Read the documentation that exists and good luck to you!

Thanks so much

Bob Cochran

From:	Robert Cochran
Subject:	Re: Can't verify avrdude-6.3.tar.gz
Date:	Wed, 31 Mar 2021 19:31:34 -0400