J Horacio MG (Horacio)
Wed, 1 Dec 1999 13:04:51 +0100

El miť, 01 de dic de 1999, a las 11:09:36 +0100, Markus Konstroffer dijo:

> So what is the answer to my question?
> Why does it say the package is signed by Werner Koch and has to be signed
> by him to be safe to install, but it is not signed with one of his keys?
> Remember: I downloaded the package from
> and not a mirror-site.
It is signed with his key, but with a "detached signature" (have a look at the manual on for detached sigs). This means that you must download the source tarball and the detached signature(s): gnupg-1.0.0.tar.gz gnupg-1.0.0.tar.gz.asc ^^^ then (with both files in the same directory) verify the sig: gpg --verify gnupg-1.0.0.tar.gz.asc or, if you have PGP 5.x installed: His old RSA key is around just in case you don't have a version of GnuPG installed and you want to verify it with PGP 2.x (I believe that is gnupg-1.0.0.tar.gz.sig) HTH -- Horacio Anno MMDCCLII ad Urbe condita ~ Spain ~Spanje ~ Spanien -------------------------------------------------------------------- Key fingerprint = F4EE AE5E 2F01 0DB3 62F2 A9F4 AD31 7093 4233 7AE6