[Announce] GnuPG 2.1.17 released

Werner Koch wk at gnupg.org
Tue Dec 20 19:24:42 CET 2016

On Tue, 20 Dec 2016 13:46, cmt at burggraben.net said:

> I believe there's something wrong with the signature of the latest
> release.

Sorry, my fault.  To create the signature I use

  gpg -sbvu SIGNINGKEY gnupg-2.1.17.tar.bz2

Today I forgot the -b and thus a non-detached signature was created
(suffix .gpg).  After realizing that I fixed that but probably I did

  gpg -sbvu SIGNINGKEY gnupg-2.1.17.tar.bz2.gpg

which is obviously wrong.  Then I copied gnupg-2.1.17.tar.bz2{,.sig} to
the final locations.  The end result is that the detached signature was
over a binary signed tarball and not over the plain tarball.  I can't
prove that anymore because I deleted the .gpg files before I noticed
that the signature were wrong.

Before you ask: Yes, I should add a make target for signing.  Actually I
did this for the Windows installer's yesterday.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: </pipermail/attachments/20161220/afb9a572/attachment.sig>

More information about the Gnupg-users mailing list