[Announce] GnuPG 2.1.17 released
Christoph Moench-Tegeder
cmt at burggraben.net
Tue Dec 20 13:46:23 CET 2016
Hi,
I believe there's something wrong with the signature of the latest
release.
## Werner Koch (wk at gnupg.org):
> * If you already have a version of GnuPG installed, you can simply
> verify the supplied signature. For example to verify the signature
> of the file gnupg-2.1.17.tar.bz2 you would use this command:
>
> gpg --verify gnupg-2.1.17.tar.bz2.sig gnupg-2.1.17.tar.bz2
This fails:
gpg: Signature made Tue Dec 20 11:33:11 2016 CET
gpg: using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: BAD signature from "Werner Koch (dist sig)" [unknown]
But the SHA1 hash of the release tarball matches the one in the
release announcement.
I downloaded directly from gnupg.org. For reference, the hashes of
the release file and the signature (as downloaded here) are:
SHA1 (gnupg-2.1.17.tar.bz2) = d83ab893faab35f37ace772ca29b939e6a5aa6a7
SHA1 (gnupg-2.1.17.tar.bz2.sig) = 34cea3e6d139cb340bf14f04ff217cb6960cf36d
Or is that just me and a local issue?
Regards,
Christoph
--
Spare Space
More information about the Gnupg-users
mailing list