BAD signatures for GnuPG Stable

Aaron Tovo aarontovo at
Tue Jan 26 05:41:41 CET 2016

I downloaded gnupg-2.0.29.tar.bz2 and  libgpg-error-1.21.tar.bz2 and
their corresponding .sig files from

I tried to verify them using the gnupg (version  1.4.16) that came with
my Ubuntu 14.04 distribution and got bad signature messages for both files:

$ gpg --verify gnupg-2.0.29.tar.bz2.sig gnupg-2.0.29.tar.bz2
gpg: Signature made Tue 08 Sep 2015 09:38:22 AM CDT using RSA key ID
gpg: BAD signature from "Werner Koch (dist sig)"
gpg: Signature made Wed 09 Sep 2015 05:30:24 AM CDT using RSA key ID
gpg: requesting key 33BD3F06 from hkp server
gpg: key 33BD3F06: public key "NIIBE Yutaka (GnuPG Release Key)
<gniibe at>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2018-08-19
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: BAD signature from "NIIBE Yutaka (GnuPG Release Key) <gniibe at>"

$ gpg --verify libgpg-error-1.21.tar.bz2.sig libgpg-error-1.21.tar.bz2
gpg: Signature made Sat 12 Dec 2015 06:03:30 AM CST using RSA key ID
gpg: BAD signature from "Werner Koch (dist sig)"

What are some likely causes of this?

I also checked the sha1sum and md5sum and they didn't match either.

I didn't try the other gnupg packages.


More information about the Gnupg-users mailing list