[Announce] GnuPG 2.1.17 released

Stephan Beck stebe at mailbox.org
Tue Dec 20 18:50:00 CET 2016


Christoph Moench-Tegeder:
> Hi,
> I believe there's something wrong with the signature of the latest
> release.
> ## Werner Koch (wk at gnupg.org):
>>  * If you already have a version of GnuPG installed, you can simply
>>    verify the supplied signature.  For example to verify the signature
>>    of the file gnupg-2.1.17.tar.bz2 you would use this command:
>>      gpg --verify gnupg-2.1.17.tar.bz2.sig gnupg-2.1.17.tar.bz2
> This fails:
> gpg: Signature made Tue Dec 20 11:33:11 2016 CET
> gpg:                using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
> gpg: BAD signature from "Werner Koch (dist sig)" [unknown]

using the command --recv-keys you have to retrieve the key
D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 from keyservers and then do the
--verify again.

If it's still BAD SIGNATURE then, you'll have a good reason for opening
a new thread. :-)

Note that you cannot verify a signature of a gnupg tarball if you do not
have a (previous) version of gpg installed. In this case, you can only
check the checksum, or use another system with gpg installed for verifying.
Do not verify the signature using the gpg version you just downloaded.
Well, that's all part of the text of the usual announce mail posted on
this very list.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161220/acaf46d9/attachment.sig>

More information about the Gnupg-users mailing list