BAD signatures for GnuPG Stable

Antony Prince antony at blazrsoft.com
Thu Jan 28 06:45:02 CET 2016 

On 1/28/2016 12:12 AM, Aaron Tovo wrote:
> It's definitely not an ascii file (having taken a peek at its content).
> 
> I downloaded libgpg-error-1.21.tar.bz2 again today and it has a the
> correct size (763186)
> 
> -rw-rw-r--  1 aaron aaron  763186 Jan 27 22:53 libgpg-error-1.21(1).tar.bz2
> 
> I re-downloaded sig file and it still fails the gpg --verify test.
> 
> $ gpg --verify libgpg-error-1.21.tar.bz2.sig gpg: Signature made Sat 12
> Dec 2015 06:03:30 AM CST using RSA key ID 4F25E3B6
> gpg: BAD signature from "Werner Koch (dist sig)"
> 
> Could this be some kind of man-in-the-middle attack? I don't recall
> having seen a signature fail like this before.
> 

I just downloaded both from the gnupg download site and the signature
verified just fine. That is odd is about all I can say. Are you
downloading it via FTP, HTTP, etc.? The results I got are pasted below.
Maybe someone else has more insight.


F:\Downloads>gpg --version
gpg (GnuPG) 2.1.10
libgcrypt 1.6.4
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:/Users/antony/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

F:\Downloads>gpg --verify libgpg-error-1.21.tar.bz2.sig
gpg: assuming signed data in 'libgpg-error-1.21.tar.bz2'
gpg: Signature made 12/12/15 07:03:30 Eastern Standard Time
gpg: using RSA key 0x249B39D24F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [full]
Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6

-- 

Antony Prince

Key ID: 0xAF3D4087301B1B19
Fingerprint: 591F F17F 7A4A A8D0 F659  C482 AF3D 4087 301B 1B19
URL:
http://pool.sks-keyservers.net/pks/lookup?op=get&search=0xAF3D4087301B1B19

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160128/047e356e/attachment.sig>

More information about the Gnupg-users mailing list