GnuPGP-Download
J Horacio MG
homega@ciberia.es (Horacio)
Wed, 1 Dec 1999 13:04:51 +0100
El mié, 01 de dic de 1999, a las 11:09:36 +0100, Markus Konstroffer dijo:
> So what is the answer to my question?
>
> Why does it say the package is signed by Werner Koch and has to be signed
> by him to be safe to install, but it is not signed with one of his keys?
>
> Remember: I downloaded the package from
> ftp://ftp.gnupg.org/pub/gcrypt/gnupg/
>
> and not a mirror-site.
It is signed with his key, but with a "detached signature" (have a look
at the manual on www.gnupg.org for detached sigs). This means that you
must download the source tarball and the detached signature(s):
gnupg-1.0.0.tar.gz
gnupg-1.0.0.tar.gz.asc
^^^
then (with both files in the same directory) verify the sig:
gpg --verify gnupg-1.0.0.tar.gz.asc
or, if you have PGP 5.x installed:
His old RSA key is around just in case you don't have a version of GnuPG
installed and you want to verify it with PGP 2.x (I believe that is
gnupg-1.0.0.tar.gz.sig)
HTH
--
Horacio Anno MMDCCLII ad Urbe condita
mailto:homega@ciberia.es
~ Spain ~Spanje ~ Spanien
--------------------------------------------------------------------
Key fingerprint = F4EE AE5E 2F01 0DB3 62F2 A9F4 AD31 7093 4233 7AE6