[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Unable to verify file integrity of which source tarball
From: |
Carlo Wood |
Subject: |
Re: Unable to verify file integrity of which source tarball |
Date: |
Fri, 11 Mar 2022 21:16:28 +0100 |
I don't think that that old key is supported anymore.
I think that this mail will be signed with my new/current key.
But the last time that gnu which was released is from before
when I created this key.
Also, I have no idea how to re-upload a new tar ball :P.
Perhaps you feel more secure to get it from my own website:
http://carlowood.github.io/which/index.html
On Fri, 11 Mar 2022 15:16:29 +0100
"Rolando Garza C." <rolandog@gmail.com> wrote:
> > It is currently not possible to verify file integrity of the "which"
> > packages hosted on gnu.org (https://ftp.gnu.org/gnu/which/).
> >
> > gpg --keyserver keyserver.ubuntu.com --recv-keys
> > 6FD2C61D624ACAD5
> > gpg: Total number processed: 1
> > gpg: skipped PGP-2 keys: 1
> >
>
> I did a deep-dive trying to find the old signing public key
> (0x6FD2C61D624ACAD5, or by the short handle of 624ACAD5); it can be
> found by using the Internet Archive [0].
>
> Also, I haven't been able to inspect the downloaded key, but I did
> find an online source that listed the fingerprint as:
>
> 32 EC A7 B6 AC DB 65 A6 F6 F6 55 DD 1C DC FF 61
> (32ECA7B6ACDB65A6F6F655DD1CDCFF61 for short)
>
> It seems it might be required to download and compile gnupg-1.4.23 to
> try to import the old signature with the old binary pgp2 format [1].
>
> However, I was unable to build gnupg-1.4.23 (I got some weird errors,
> but I may try to build it again at a later date); coincidentally, it
> was also signed with Werner Koch's old signing key, with fingerprint:
>
> D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
>
> Anyhow, is there a chance, Carlo, that the newest version of which be
> re-signed with your new signing key?
>
> Kind regards,
>
> Rolando
>
> [0]:
> https://web.archive.org/web/20150912123014if_/http://savannah.gnu.org/project/memberlist-gpgkeys.php?group=which&download=1
>
> [1]:
> https://unix.stackexchange.com/questions/404879/converting-old-pgp-keys-to-gpg-resolved#comment724527_404879
>
pgpZIFmjE0EyM.pgp
Description: OpenPGP digital signature