openssh unix dev - Jan 2023 - Invalid Public Key File

Hi,

I recently downloaded openssh-8.9pl.tar.gz, openssh-8.9pl.tar.gz, and
DJM-GPG-KEY.asc.??I discovered that DJM-GPG-KEY.asc file does not contain the
proper public key that was used to sign this distribution of OpenSSH, and after
further digging I think that particular key may have been revoked.??I downloaded
the appropriate public key from pgp.mit.edu and was then able to confirm a valid
signature.

I thought you might like to know this in order to place the proper public
signature file with the distros.

Regards,

Jeff

On Sat, 14 Jan 2023 at 09:13, Jeff Mericle
<jeffmericle at morningstarcc.org> wrote:
> I recently downloaded openssh-8.9pl.tar.gz, openssh-8.9pl.tar.gz, and
DJM-GPG-KEY.asc.  I discovered that DJM-GPG-KEY.asc [...]
> I thought you might like to know this in order to place the proper public
signature file with the distros.
It's there, it's just in the next directory up (since it's also used
to sign the OpenBSD-specific files which are in that directory).

This is described on the OpenSSH Portable download page
(https://www.openssh.com/portable.html):

"""
The following files describe the development efforts of the OpenSSH
portability development team. The release files are signed with the
PGP public key contained in the file RELEASE_KEY.asc on the ftp site.
This key is also available through the key server network and has a
fingerprint of 7168B983815A5EEF59A4ADFD2A3F414E736060BA.
"""

and release notes (https://www.openssh.com/releasenotes.html):

"""
The PGP key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
"""

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.