Was gnupg-2.1.16.tar.bz2.sig updated?

Roman Bogorodskiy bogorodskiy at gmail.com
Sat Dec 3 17:00:53 CET 2016


Hi,

It looks like gnupg-2.1.16.tar.bz2.sig was updated after releasing of
gnupg 2.1.16.

At time of release it was:

SHA256 (gnupg-2.1.16.tar.bz2.sig.orig) =
91dd1279956a533a721f3e2dc06a092248cea8bd9a5259dc19f8d7573c1d3d12

Now it is:
SHA256 (gnupg-2.1.16.tar.bz2.sig) =
b00b297eed7dcbbb259e960b9e4442de031124f41ea870efa5e7a367a9779fa7

It looks like an additional signature was added:

$ gpg2 --verify gnupg-2.1.16.tar.bz2.sig.orig /usr/ports/distfiles/gnupg-2.1.16.tar.bz2
gpg: Signature made пятница, 18 ноября 2016 г. 18:58:06
gpg:                using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [ultimate]

$ gpg2 --verify gnupg-2.1.16.tar.bz2.sig /usr/ports/distfiles/gnupg-2.1.16.tar.bz2
gpg: Signature made пятница, 18 ноября 2016 г. 18:58:06
gpg:                using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [ultimate]
gpg: Signature made суббота, 19 ноября 2016 г. 07:18:00
gpg:                using RSA key 2071B08A33BD3F06
gpg: Good signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe at fsij.org>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06

Also, the new sig is reported as expired.

Was that an intentional change?

The reason I'm asking is that both release tarball and the sig are used
by the FreeBSD port [1], and when a checksum changes for any of the
files, port refuses to use it (unless there's some mirror with the old
file or unless user explicitly forces it to continue).

1:
https://svnweb.freebsd.org/ports/head/security/gnupg/distinfo?revision=426573&view=co

Roman Bogorodskiy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: </pipermail/attachments/20161203/3f33ecaf/attachment.sig>


More information about the Gnupg-devel mailing list