verifying a package

Lars Hecking lhecking@nmrc.ie
Wed Oct 17 16:44:01 2001



> I've encountered a problem verifying a software package:
>
> > gpg --verify wu-ftpd-2.6.1.tar.gz.asc
> gpg: Signature made Sun Jul 2 07:18:43 2000 CEST using RSA key ID 62885875
> gpg: BAD signature from "WU-FTPD Development Group <wuftpd-members@wu-ftpd.org>"
>
> I've asked the maintainer of the package, he can verify the signature
> with PGP (6.5.8). The key I use has the same footprint as the one he
> gave me. I took the archive from the main wuftpd site:
>
> ftp://ftp.wu-ftpd.org/pub/
>
> Could someone check if its me, and if not, if it's a problem related
> to gpg ?
Same here with gpg 1.0.6, ie. BAD signature. As a side note, I wouldn't bother with a package that has wu-ftpd's security history. Search freshmeat for vsftpd. It's more secure and faster than wu-ftpd, and it has a similar set of configuration options.