Re: Unable to verify file integrity of which source tarball

[Rolando Garza C.]

> It is currently not possible to verify file integrity of the "which"
> packages hosted on gnu.org (https://ftp.gnu.org/gnu/which/).
>
> gpg --keyserver keyserver.ubuntu.com --recv-keys
> 6FD2C61D624ACAD5                                                          
> gpg: Total number processed: 1
> gpg:     skipped PGP-2 keys: 1

I did a deep-dive trying to find the old signing public key 
(0x6FD2C61D624ACAD5, or by the short handle of 624ACAD5); it can be 
found by using the Internet Archive [0].

Also, I haven't been able to inspect the downloaded key, but I did find 
an online source that listed the fingerprint as:

    32 EC A7 B6 AC DB 65 A6  F6 F6 55 DD 1C DC FF 61
    (32ECA7B6ACDB65A6F6F655DD1CDCFF61 for short)

It seems it might be required to download and compile gnupg-1.4.23 to 
try to import the old signature with the old binary pgp2 format [1].

However, I was unable to build gnupg-1.4.23 (I got some weird errors, 
but I may try to build it again at a later date); coincidentally, it was 
also signed with Werner Koch's old signing key, with fingerprint:

    D8692123C4065DEA5E0F3AB5249B39D24F25E3B6

Anyhow, is there a chance, Carlo, that the newest version of which be 
re-signed with your new signing key?

Kind regards,

Rolando

[0]: 
https://web.archive.org/web/20150912123014if_/http://savannah.gnu.org/project/memberlist-gpgkeys.php?group=which&download=1

[1]: 
https://unix.stackexchange.com/questions/404879/converting-old-pgp-keys-to-gpg-resolved#comment724527_404879

--
Rolando Garza

OpenPGP_0xE726BC7BEF39923D.asc
Description: OpenPGP public key

OpenPGP_signature
Description: OpenPGP digital signature