From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: brooke@alchemists.io, git@vger.kernel.org
Subject: Re: How to Verify Git GPG Signed Downloads?
Date: Sun, 24 Jan 2021 21:33:52 +0000 [thread overview]
Message-ID: <YA3nwFcYz4tbhrlO@camp.crustytoothpaste.net> (raw)
In-Reply-To: <022601d6f27a$58a97200$09fc5600$@pdinc.us>
[-- Attachment #1: Type: text/plain, Size: 2089 bytes --]
On 2021-01-24 at 17:57:13, Jason Pyeron wrote:
> $ gpg --recv-keys 96AFE6CB
> gpg: requesting key 96AFE6CB from hkp server keys.gnupg.net
> gpg: key 713660A7: "Junio C Hamano <gitster@pobox.com>" 59 new signatures
> gpg: key 713660A7: "Junio C Hamano <gitster@pobox.com>" 2 new subkeys
> gpg: no ultimately trusted keys found
> gpg: Total number processed: 1
> gpg: new subkeys: 2
> gpg: new signatures: 59
>
> $ gpg --verify -v git-2.30.0.tar.sign git-2.30.0.tar.gz
> gpg: Signature made Mon Dec 28 01:12:30 2020 EST using RSA key ID 96AFE6CB
> gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
> gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT
> gpg: using subkey 96AFE6CB instead of primary key 713660A7
> gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
> gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
> gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT
> gpg: using PGP trust model
> gpg: BAD signature from "Junio C Hamano <gitster@pobox.com>"
> gpg: binary signature, digest algorithm SHA256
The signature is bad because it's over the uncompressed .tar, not the
.tar.gz. There is also a .tar.xz and the signature is the same. You
therefore need to uncompress it first with gunzip.
> $ gpg --list-keys -v 96AFE6CB
> gpg: using PGP trust model
> gpg: NOTE: signature key 96AFE6CB expired Sun Jul 26 13:41:24 2020 EDT
> gpg: NOTE: signature key B3F7CAC9 expired Sun Jul 26 13:41:42 2020 EDT
> pub 4096R/713660A7 2011-10-01
> uid Junio C Hamano <gitster@pobox.com>
> uid Junio C Hamano <junio@pobox.com>
> uid Junio C Hamano <jch@google.com>
> sub 4096R/96AFE6CB 2011-10-03 [expired: 2020-07-26]
> sub 4096R/833262C4 2011-10-01
> sub 4096R/B3F7CAC9 2014-09-20 [expired: 2020-07-26]
>
> It is possible that Junio forgot to push his refreshed public key.
Yes, I think that's the case.
--
brian m. carlson (he/him or they/them)
Houston, Texas, US
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 263 bytes --]
next prev parent reply other threads:[~2021-01-24 21:34 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-24 16:49 How to Verify Git GPG Signed Downloads? Brooke Kuhlmann
2021-01-24 17:57 ` Jason Pyeron
2021-01-24 21:33 ` brian m. carlson [this message]
2021-01-24 22:24 ` Jason Pyeron
2021-01-25 1:03 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YA3nwFcYz4tbhrlO@camp.crustytoothpaste.net \
--to=sandals@crustytoothpaste.net \
--cc=brooke@alchemists.io \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.