BAD signatures for GnuPG Stable
aarontovo at gmail.com
Thu Jan 28 06:12:36 CET 2016
It's definitely not an ascii file (having taken a peek at its content).
I downloaded libgpg-error-1.21.tar.bz2 again today and it has a the
correct size (763186)
-rw-rw-r-- 1 aaron aaron 763186 Jan 27 22:53 libgpg-error-1.21(1).tar.bz2
I re-downloaded sig file and it still fails the gpg --verify test.
$ gpg --verify libgpg-error-1.21.tar.bz2.sig gpg: Signature made Sat 12
Dec 2015 06:03:30 AM CST using RSA key ID 4F25E3B6
gpg: BAD signature from "Werner Koch (dist sig)"
Could this be some kind of man-in-the-middle attack? I don't recall
having seen a signature fail like this before.
On 01/27/2016 08:53 AM, Steve Butler wrote:
> Perhaps an ASCII download instead of binary? That would make the download file larger!
> -----Original Message-----
> From: Gnupg-users [mailto:gnupg-users-bounces+sbutler=fchn.com at gnupg.org] On Behalf Of Aaron Tovo
> Sent: Tuesday, January 26, 2016 8:45 PM
> To: gnupg-users at gnupg.org
> Subject: Re: BAD signatures for GnuPG Stable
> Interesting. The file I downloaded is actually larger than what it should be!
> -rw-rw-r-- 1 aaron aaron 855815 Jan 25 21:44 libgpg-error-1.21.tar.bz2
> On 01/26/2016 03:26 AM, Werner Koch wrote:
>> On Tue, 26 Jan 2016 05:41, aarontovo at gmail.com said:
>>> $ gpg --verify libgpg-error-1.21.tar.bz2.sig
>>> gpg: Signature made Sat 12 Dec 2015 06:03:30 AM CST using RSA key ID
>>> gpg: BAD signature from "Werner Koch (dist sig)"
>> Please check the length of the file to make sure you downloaded it
>> The size of libgpg-error-1.21.tar.bz2 is 763186 bytes.
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
More information about the Gnupg-users