[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Can't verify avrdude-6.3.tar.gz

From: Robert Cochran
Subject: Re: Can't verify avrdude-6.3.tar.gz
Date: Wed, 31 Mar 2021 19:31:34 -0400


I am not sure how you imported that key to your gpg keyring. The message 'Can't check signature: No public key" means you do not have the named DSA key in your keyring. I downloaded the source and signature files and then did this:

gpg --keyserver pool.sks-keyservers.net --recv-keys F48CA81B69A85873

which resulted in

gpg: key F48CA81B69A85873: 3 duplicate signatures removed

gpg: key F48CA81B69A85873: 1 signature reordered

gpg: key F48CA81B69A85873: public key "Joerg Wunsch <j@uriah.heep.sax.de>" imported

gpg: Total number processed: 1

gpg:               imported: 1

With Joerg's key now in my keyring, I proceeded to verify:

gpg --verify avrdude-6.3.tar.gz.sig avrdude-6.3.tar.gz

which resulted in

gpg: Signature made Tue 16 Feb 2016 05:02:43 PM EST

gpg:                using DSA key F48CA81B69A85873

gpg: Good signature from "Joerg Wunsch <j@uriah.heep.sax.de>" [unknown]

gpg:                 aka "Joerg Wunsch <joerg@FreeBSD.org>" [unknown]

gpg:                 aka "Joerg Wunsch <j@ida.interface-business.de>" [unknown]

gpg:                 aka "Joerg Wunsch <joerg_wunsch@interface-systems.de>" [unknown]

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

Primary key fingerprint: 5E84 F980 C3CA FD4B B584  1070 F48C A81B 69A8 5873

As long as I see the text 'good signature from', I'm happy, and consider the tarball to be verified.

As a note, I'm not sure how active avrdude is as a project now. There has not been an update since 2016. It has been a while since I've used avrdude myself. I've used it in the past and I like it. I'm very rusty these days. Read the documentation that exists and good luck to you! 

Thanks so much

Bob Cochran

On Wed, Mar 31, 2021 at 10:05 AM <hyperowl@secmail.pro> wrote:
I downloaded avrdude-6.3.tar.gz and avrdude-6.3.tar.gz.sig from
https://download.savannah.gnu.org/releases/avrdude/, tried to verify and
got this:

gpg: assuming signed data in 'avrdude-6.3.tar.gz'
gpg: Signature made Tue 16 Feb 2016 10:02:43 PM UTC
gpg:                using DSA key F48CA81B69A85873
gpg: key F48CA81B69A85873: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
gpg: Can't check signature: No public key

I also found https://github.com/facchinm/avrdude/releases but nothing
there is signed. What should I do now? It's important for me to build from
source and I'd much prefer it to be signed.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]