[Announce] GnuPG 2.1.17 released

Christoph Moench-Tegeder cmt at burggraben.net
Tue Dec 20 13:46:23 CET 2016


I believe there's something wrong with the signature of the latest

## Werner Koch (wk at gnupg.org):

>  * If you already have a version of GnuPG installed, you can simply
>    verify the supplied signature.  For example to verify the signature
>    of the file gnupg-2.1.17.tar.bz2 you would use this command:
>      gpg --verify gnupg-2.1.17.tar.bz2.sig gnupg-2.1.17.tar.bz2

This fails:
gpg: Signature made Tue Dec 20 11:33:11 2016 CET
gpg:                using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: BAD signature from "Werner Koch (dist sig)" [unknown]

But the SHA1 hash of the release tarball matches the one in the
release announcement.
I downloaded directly from gnupg.org. For reference, the hashes of
the release file and the signature (as downloaded here) are:

SHA1 (gnupg-2.1.17.tar.bz2) = d83ab893faab35f37ace772ca29b939e6a5aa6a7
SHA1 (gnupg-2.1.17.tar.bz2.sig) = 34cea3e6d139cb340bf14f04ff217cb6960cf36d

Or is that just me and a local issue?


Spare Space

More information about the Gnupg-users mailing list