md5sum for egd, gnupg

[Adam Pavelec]

On Wednesday, August 13, 2003 1:33 PM [GMT-5=EST], Ross Druker
<RDruker@alamo.sh.rohmhaas.com> wrote:

> Hi,
> I'm trying to verify the md5sum for egd.  When I download the sum
> file from this page:
> http://www.gnupg.org/(en)/download/index.html
>
> I get the file:
> ftp://ftp.gnupg.org/gcrypt/egd/egd-0.8.tar.gz.asc
>
> It displays as this:
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.1 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQA5HggpLnyKqEtxxE4RAoOkAJ9Bb5uHUWoQe4BQH1XPD9IoAsifyQCg5SGE
> KrAW9vlz+E8WYQcDp+gEC9w=
> =Wvmm
> -----END PGP SIGNATURE-----
>
> This does not match at all with what md5sum displays for the actual
> file, nor does the content even look right.
>
> I asked another user to try and he couldn't even display this in his
>  browser. He had to download it.  Then, when he tried to display it,
> it was binary.
>
> I get the same problem with the md5sum file for gnupg, but at least
> its sum is posted on another page, so I could use that.
>
> Anybody know what the problem is?  I did notice that the gnupg file
> ends in .sig, which the egd file ends in .asc.
>
> Thanks,
> Ross

I /think/ the signature was linked to the wrong file.  Both the FTP and
HTTP links grabbed <gnupg-1.2.2.tar.bz2.sig> when I first checked.  A
few minutes later they grabbed <egd-0.8.tar.gz.asc>, which when
verified, gave this output:

Signature made 05/13/00 21:58:01  using DSA key ID 4B71C44E
Good signature from "expired (see http://www.lothar.com/warner-gpg.html
for my current key) <warner@lothar.com>"
                aka "Brian Warner (home) <warner@lothar.com>"
Note: This key has expired!
Primary key fingerprint: FB31 2FCE 0978 3644 BEB4  9432 2E7C 8AA8 4B71
C44E

File: egd-0.8.tar.gz.asc
Time: 8/13/2003 2:31:07 PM (8/13/2003 6:31:07 PM UTC)

So, it appears that the linkage was grabbing the wrong files; and your
query prompted the webmaster to correct the linkage.

-Adam