BAD signatures for GnuPG Stable

Aaron Tovo aarontovo at gmail.com
Thu Jan 28 06:12:36 CET 2016


It's definitely not an ascii file (having taken a peek at its content).

I downloaded libgpg-error-1.21.tar.bz2 again today and it has a the
correct size (763186)

-rw-rw-r--  1 aaron aaron  763186 Jan 27 22:53 libgpg-error-1.21(1).tar.bz2

I re-downloaded sig file and it still fails the gpg --verify test.

$ gpg --verify libgpg-error-1.21.tar.bz2.sig gpg: Signature made Sat 12
Dec 2015 06:03:30 AM CST using RSA key ID 4F25E3B6
gpg: BAD signature from "Werner Koch (dist sig)"

Could this be some kind of man-in-the-middle attack? I don't recall
having seen a signature fail like this before.

Aaron

On 01/27/2016 08:53 AM, Steve Butler wrote:
> Perhaps an ASCII download instead of binary?  That would make the download file larger!
>
>
> -----Original Message-----
> From: Gnupg-users [mailto:gnupg-users-bounces+sbutler=fchn.com at gnupg.org] On Behalf Of Aaron Tovo
> Sent: Tuesday, January 26, 2016 8:45 PM
> To: gnupg-users at gnupg.org
> Subject: Re: BAD signatures for GnuPG Stable
>
> Interesting. The file I downloaded is actually larger than what it should be!
>
> -rw-rw-r--  1 aaron aaron  855815 Jan 25 21:44 libgpg-error-1.21.tar.bz2
>
>
> On 01/26/2016 03:26 AM, Werner Koch wrote:
>> On Tue, 26 Jan 2016 05:41, aarontovo at gmail.com said:
>>
>>> $ gpg --verify libgpg-error-1.21.tar.bz2.sig 
>>> libgpg-error-1.21.tar.bz2
>>> gpg: Signature made Sat 12 Dec 2015 06:03:30 AM CST using RSA key ID
>>> 4F25E3B6
>>> gpg: BAD signature from "Werner Koch (dist sig)"
>> Please check the length of the file to make sure you downloaded it 
>> complelety.
>>
>> The size of libgpg-error-1.21.tar.bz2 is 763186 bytes.
>>
>>
>> Shalom-Salam,
>>
>>    Werner
>>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>




More information about the Gnupg-users mailing list