[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: verifying autoconf-2.69c.tar.xz.sig
From: |
Thien-Thi Nguyen |
Subject: |
Re: verifying autoconf-2.69c.tar.xz.sig |
Date: |
Sun, 04 Oct 2020 15:04:29 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) |
() Zack Weinberg <zackw@panix.com>
() Sun, 4 Oct 2020 12:25:19 -0400
Key BF156B83E4D5AD06AF3A0C2C384F8E68AC65B0D5 is exclusively used for
signing Git commit records. [...]
I uploaded those keys to the keyservers as well, so that people could
easily validate the signatures on my commit records, but I thought I
had arranged things so that they wouldn't take precedence over ...AA64
in searches by email address. It seems I was wrong:
$ gpg --auto-key-locate keyserver --locate-keys zackw@panix.com
pub ed25519 2018-07-23 [SC]
BF156B83E4D5AD06AF3A0C2C384F8E68AC65B0D5
uid [ full ] Zack Weinberg (code signing / moxana)
<zackw@panix.com>
I presume this is how Thien-Thi got the wrong key.
I followed the instructions in the release notice, which
mentions BF156B83E4D5AD06AF3A0C2C384F8E68AC65B0D5 by a shorter
name:
> If that command fails because you don't have the required
> public key, then run this command to import it:
>
> gpg --keyserver keys.gnupg.net --recv-keys 384F8E68AC65B0D5
Probably it would suffice to followup on that thread, naming the
desired key (short or full) to be downloaded, for others to see.
--
Thien-Thi Nguyen
signature.asc
Description: PGP signature