[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Can't verify avrdude-6.3.tar.gz
|
From: |
hyperowl |
|
Subject: |
Re: Can't verify avrdude-6.3.tar.gz |
|
Date: |
Sat, 3 Apr 2021 04:24:16 -0700 |
|
User-agent: |
SquirrelMail/1.4.22 |
Thanks for replying. I managed to solve the problem.
Here's the command I initially used:
gpg --no-default-keyring --keyring ./keys \
--auto-key-locate --auto-key-retrieve \
--verify avrdude-6.3.tar.gz.sig
I tried to alter --auto-key-locate without luck. E.g. I tried this:
--auto-key-locate local,keyserver-hkp://pool.sks-keyservers.net
Maybe I don't understand how it actually works. In the end I replaced it
with --keyserver like in your command and it worked.
> As a note, I'm not sure how active avrdude is as a project now. There has
> not been an update since 2016. It has been a while since I've used avrdude
> myself. I've used it in the past and I like it. I'm very rusty these days.
> Read the documentation that exists and good luck to you!
I wanna program ATmega328P via linuxgpio. I found some pretty old
tutorials on the subject so I figured I should be fine with 6.3. Anyway,
thanks for the help.
> Hi!
>
> I am not sure how you imported that key to your gpg keyring. The message
> 'Can't check signature: No public key" means you do not have the named DSA
> key in your keyring. I downloaded the source and signature files and then
> did this:
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F48CA81B69A85873
>
>
> which resulted in
>
>
> gpg: key F48CA81B69A85873: 3 duplicate signatures removed
>
> gpg: key F48CA81B69A85873: 1 signature reordered
>
> gpg: key F48CA81B69A85873: public key "Joerg Wunsch <j@uriah.heep.sax.de>"
> imported
>
> gpg: Total number processed: 1
>
> gpg: imported: 1
>
>
> With Joerg's key now in my keyring, I proceeded to verify:
>
>
> gpg --verify avrdude-6.3.tar.gz.sig avrdude-6.3.tar.gz
>
>
> which resulted in
>
>
> gpg: Signature made Tue 16 Feb 2016 05:02:43 PM EST
>
> gpg: using DSA key F48CA81B69A85873
>
> gpg: Good signature from "Joerg Wunsch <j@uriah.heep.sax.de>" [unknown]
>
> gpg: aka "Joerg Wunsch <joerg@FreeBSD.org>" [unknown]
>
> gpg: aka "Joerg Wunsch <j@ida.interface-business.de>"
> [unknown]
>
> gpg: aka "Joerg Wunsch
> <joerg_wunsch@interface-systems.de>"
> [unknown]
>
> gpg: WARNING: This key is not certified with a trusted signature!
>
> gpg: There is no indication that the signature belongs to the
> owner.
>
> Primary key fingerprint: 5E84 F980 C3CA FD4B B584 1070 F48C A81B 69A8
> 5873
>
>
> As long as I see the text 'good signature from', I'm happy, and consider
> the tarball to be verified.
>
>
> As a note, I'm not sure how active avrdude is as a project now. There has
> not been an update since 2016. It has been a while since I've used avrdude
> myself. I've used it in the past and I like it. I'm very rusty these days.
> Read the documentation that exists and good luck to you!
>
>
> Thanks so much
>
>
> Bob Cochran
>
>
>
>
>
>
>
>
> On Wed, Mar 31, 2021 at 10:05 AM <hyperowl@secmail.pro> wrote:
>
>> I downloaded avrdude-6.3.tar.gz and avrdude-6.3.tar.gz.sig from
>> https://download.savannah.gnu.org/releases/avrdude/, tried to verify and
>> got this:
>>
>> gpg: assuming signed data in 'avrdude-6.3.tar.gz'
>> gpg: Signature made Tue 16 Feb 2016 10:02:43 PM UTC
>> gpg: using DSA key F48CA81B69A85873
>> gpg: key F48CA81B69A85873: new key but contains no user ID - skipped
>> gpg: Total number processed: 1
>> gpg: w/o user IDs: 1
>> gpg: Can't check signature: No public key
>>
>> I also found https://github.com/facchinm/avrdude/releases but nothing
>> there is signed. What should I do now? It's important for me to build
>> from
>> source and I'd much prefer it to be signed.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: Can't verify avrdude-6.3.tar.gz,
hyperowl <=