bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wget-1.21.2 released [stable]

From: Darshit Shah
Subject: Re: wget-1.21.2 released [stable]
Date: Wed, 8 Sep 2021 17:41:44 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 
Hi Derek,

Sorry for the inconvenience with the GPG keys. I made sure that my key
was valid before I signed and uploaded the tarball.

See below:
gpg --list-key A91A35B6

pub   rsa4096/0x2A1743EDA91A35B6 2015-10-14 [SC] [expires: 2022-09-07]
      Key fingerprint = 7845 120B 07CB D8D6 ECE5  FF2B 2A17 43ED A91A 35B6
uid                   [  full  ] Darshit Shah <gpg@darnir.net>
uid                   [  full  ] Darshit Shah <darnir@gnu.org>
sub   rsa4096/0xE92ADE6826DF1410 2015-10-14 [E] [expires: 2022-09-07]
sub   rsa4096/0x64FF90AAE8C70AF9 2016-08-14 [S] [expires: 2022-09-07]
sub   rsa4096/0x5CEAE5CAD23ABCBF 2016-08-19 [A] [expires: 2022-09-07]

It seems like querying the gnupg keyserver with the signing keyid
doesn't work. I'll have to update the release script to not use that,
but instead the actual fingerprint.

And secondly, while I've uploaded my key to the keyservers, it seems
like the process failed without error. I'll look into it this evening.

Thanks for bringing it to my attention!

On 08.09.21 16:47, Derek Martin wrote:
> On Tue, Sep 07, 2021 at 05:22:03PM -0400, Derek Martin wrote:
>> On Tue, Sep 07, 2021 at 09:28:49PM +0200, Darshit Shah wrote:
>>> We are pleased to announce the release of GNU Wget 1.21.2
>> [...]
>>>   gpg --verify wget-1.21.2.tar.gz.sig
>>>
>>> If that command fails because you don't have the required public key,
>>> then run this command to import it:
>>>
>>>   gpg --keyserver keys.gnupg.net --recv-keys 64FF90AAE8C70AF9
>>
>> $ gpg --keyserver keys.gnupg.net --recv-keys 64FF90AAE8C70AF9
>> gpg: keyserver receive failed: No name
>>
>> :(
> 
> Tried other key servers as well...
> 
> $ gpg --keyserver keys.openpgp.org --recv-keys 64FF90AAE8C70AF9
> gpg: key 2A1743EDA91A35B6: no user ID
> gpg: Total number processed: 1
> 
> $ gpg --list-key 64FF90AAE8C70AF9
> gpg: error reading key: No public key
> 
> Was able to get it from Ubunu's key server, however:
> 
> $ gpg --keyserver keyserver.ubuntu.com --recv-keys 64FF90AAE8C70AF9
> gpg: key 2A1743EDA91A35B6: 8 duplicate signatures removed
> gpg: key 2A1743EDA91A35B6: 104 signatures not checked due to missing
> keys
> gpg: key 2A1743EDA91A35B6: public key "Darshit Shah <gpg@darnir.net>"
> imported
> gpg: no ultimately trusted keys found
> gpg: Total number processed: 1
> gpg:               imported: 1
> 
> $ gpg  --verify wget-1.21.2.tar.gz.sig wget-1.21.2.tar.gz
> gpg: Signature made Tue 07 Sep 2021 03:05:35 PM EDT
> gpg:                using RSA key
> 6B98F637D879C5236E277C5C64FF90AAE8C70AF9
> gpg: Good signature from "Darshit Shah <gpg@darnir.net>" [expired]
> gpg:                 aka "Darshit Shah <darnir@gnu.org>" [expired]
> gpg: Note: This key has expired!
> Primary key fingerprint: 7845 120B 07CB D8D6 ECE5  FF2B 2A17 43ED A91A 35B6
>      Subkey fingerprint: 6B98 F637 D879 C523 6E27  7C5C 64FF 90AA E8C7 0AF9
> 
> In particular, note:
> 
>> gpg: Note: This key has expired!
> 
> And:
> 
> $ gpg --list-key 0x64FF90AAE8C70AF9
> pub   rsa4096 2015-10-14 [SC] [expired: 2020-08-16]
>       7845120B07CBD8D6ECE5FF2B2A1743EDA91A35B6
> uid           [ expired] Darshit Shah <gpg@darnir.net>
> uid           [ expired] Darshit Shah <darnir@gnu.org>
> 
> This key has been expired for over a year.
> 
> Please take care of the maintenance of your GPG key and if appropriate
> re-sign the tarball.
>

Attachment: OpenPGP_0x2A1743EDA91A35B6.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]