Hi, #tcsh#machine# gpg --verify openssh-4.1p1.tar.gz.asc openssh-4.1p1.tar.gz gpg: Signature made Wed May 25 08:26:24 2005 EDT using DSA key ID 86FF9C48 gpg: BAD signature from "Damien Miller (Personal Key) <djm at mindrot.org>" I made sure that I had the same key loaded that the signature was made with, but that didn't change the error. Thanks, Matt -- Matthew Goebel : goebel at emunix.emich.edu : Unix Jockey @ EMU : Hail Eris Neo-Student, Net Lurker, Donut consumer, and procrastinating Furry Fan. "Always with the negative waves, Moriarty" - Oddball "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer
Matt Goebel wrote:> #tcsh#machine# gpg --verify openssh-4.1p1.tar.gz.asc openssh-4.1p1.tar.gz > gpg: Signature made Wed May 25 08:26:24 2005 EDT using DSA key ID 86FF9C48 > gpg: BAD signature from "Damien Miller (Personal Key) <djm at mindrot.org>"From the datestamps it looks like the signature has been updated. The current one does verify. There was a last-minute change to the tarball and I suspect the signature were not updated at the time of the release. $ gpg --verify openssh-4.1p1.tar.gz.asc openssh-4.1p1.tar.gz gpg: Signature made Thu 26 May 2005 06:31:21 PM EST using DSA key ID 86FF9C48 gpg: Good signature from "Damien Miller (Personal Key) <djm at mindrot.org>" $ openssl sha1 openssh-4.1p1.tar.gz openssh-4.1p1.tar.gz.asc SHA1(openssh-4.1p1.tar.gz)= e85d389da8ad8290f5031b8f9972e2623c674e46 SHA1(openssh-4.1p1.tar.gz.asc)= 1e59229f4ca6eb5aa0a3f13aeee8150559b98139 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Darren Tucker wrote:> From the datestamps it looks like the signature has been updated. The > current one does verify. > > There was a last-minute change to the tarball and I suspect the > signature were not updated at the time of the release.Close - the release scripts now sign the tar.gz files directly with gzsig[1], but I erroneously added this *after* the gpg/sha1 signature generation. Since it modified the .gz file, it broke the signature. This was noticed very quickly, but getting the updated signature distributed to the mirrors took some time because the master ftp server had "issues". -d [1] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/gzsig/ http://monkey.org/~dugsong/gzsig-1.0.tar.gz