[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Unable to verify file integrity of which source tarball
From: |
Rolando Garza C. |
Subject: |
Re: Unable to verify file integrity of which source tarball |
Date: |
Fri, 11 Mar 2022 15:16:29 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 |
It is currently not possible to verify file integrity of the "which"
packages hosted on gnu.org (https://ftp.gnu.org/gnu/which/).
gpg --keyserver keyserver.ubuntu.com --recv-keys
6FD2C61D624ACAD5
gpg: Total number processed: 1
gpg: skipped PGP-2 keys: 1
I did a deep-dive trying to find the old signing public key
(0x6FD2C61D624ACAD5, or by the short handle of 624ACAD5); it can be
found by using the Internet Archive [0].
Also, I haven't been able to inspect the downloaded key, but I did find
an online source that listed the fingerprint as:
32 EC A7 B6 AC DB 65 A6 F6 F6 55 DD 1C DC FF 61
(32ECA7B6ACDB65A6F6F655DD1CDCFF61 for short)
It seems it might be required to download and compile gnupg-1.4.23 to
try to import the old signature with the old binary pgp2 format [1].
However, I was unable to build gnupg-1.4.23 (I got some weird errors,
but I may try to build it again at a later date); coincidentally, it was
also signed with Werner Koch's old signing key, with fingerprint:
D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
Anyhow, is there a chance, Carlo, that the newest version of which be
re-signed with your new signing key?
Kind regards,
Rolando
[0]:
https://web.archive.org/web/20150912123014if_/http://savannah.gnu.org/project/memberlist-gpgkeys.php?group=which&download=1
[1]:
https://unix.stackexchange.com/questions/404879/converting-old-pgp-keys-to-gpg-resolved#comment724527_404879
--
Rolando Garza
OpenPGP_0xE726BC7BEF39923D.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
- Re: Unable to verify file integrity of which source tarball,
Rolando Garza C. <=