which-bugs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Unable to verify file integrity of which source tarball

From: Carlo Wood
Subject: Re: Unable to verify file integrity of which source tarball
Date: Fri, 11 Mar 2022 21:16:28 +0100 
I don't think that that old key is supported anymore.

I think that this mail will be signed with my new/current key.
But the last time that gnu which was released is from before
when I created this key.

Also, I have no idea how to re-upload a new tar ball :P.

Perhaps you feel more secure to get it from my own website:
http://carlowood.github.io/which/index.html

On Fri, 11 Mar 2022 15:16:29 +0100
"Rolando Garza C." <rolandog@gmail.com> wrote:

> > It is currently not possible to verify file integrity of the "which"
> > packages hosted on gnu.org (https://ftp.gnu.org/gnu/which/).
> > 
> > gpg --keyserver keyserver.ubuntu.com --recv-keys
> > 6FD2C61D624ACAD5
> > gpg: Total number processed: 1
> > gpg:     skipped PGP-2 keys: 1
> >   
> 
> I did a deep-dive trying to find the old signing public key 
> (0x6FD2C61D624ACAD5, or by the short handle of 624ACAD5); it can be 
> found by using the Internet Archive [0].
> 
> Also, I haven't been able to inspect the downloaded key, but I did
> find an online source that listed the fingerprint as:
> 
>      32 EC A7 B6 AC DB 65 A6  F6 F6 55 DD 1C DC FF 61
>      (32ECA7B6ACDB65A6F6F655DD1CDCFF61 for short)
> 
> It seems it might be required to download and compile gnupg-1.4.23 to 
> try to import the old signature with the old binary pgp2 format [1].
> 
> However, I was unable to build gnupg-1.4.23 (I got some weird errors, 
> but I may try to build it again at a later date); coincidentally, it
> was also signed with Werner Koch's old signing key, with fingerprint:
> 
>      D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
> 
> Anyhow, is there a chance, Carlo, that the newest version of which be 
> re-signed with your new signing key?
> 
> Kind regards,
> 
> Rolando
> 
> [0]: 
> https://web.archive.org/web/20150912123014if_/http://savannah.gnu.org/project/memberlist-gpgkeys.php?group=which&download=1
> 
> [1]: 
> https://unix.stackexchange.com/questions/404879/converting-old-pgp-keys-to-gpg-resolved#comment724527_404879
>

Attachment: pgpZIFmjE0EyM.pgp
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]