BAD signatures for GnuPG Stable

Damien Goutte-Gattat dgouttegattat at incenp.org
Thu Jan 28 09:03:35 CET 2016


On 01/28/2016 06:12 AM, Aaron Tovo wrote:
> I downloaded libgpg-error-1.21.tar.bz2 again today and it has a the
> correct size (763186)
>
> -rw-rw-r--  1 aaron aaron  763186 Jan 27 22:53 libgpg-error-1.21(1).tar.bz2
>
> I re-downloaded sig file and it still fails the gpg --verify test.

Is the old libgpg-error-1.21.tar.bz2 (the one you downloaded before, 
with the wrong size) still present in the same directory? (I assume it 
is, based on the '(1)' suffix that has been appended to the new file you 
have just downloaded.)

If that's the case, what happens when you call gpg like this:

   $ gpg --verify libgpg-error-1.21.tar.bz2.sig

is that gpg will assume the signed file to verify is 
libgpg-error-1.21.tar.bz2. (Recent versions of GnuPG print a warning in 
situation like this, but older versions are silent about that assumption.)

Either get rid of the old file, or explicitly tell gpg which file it 
should verify:

   $ gpg --verify libgpg-error-1.21.tar.bz2.sig libgpg-error-1.21(1).tar.bz2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160128/a9fc30e7/attachment.sig>


More information about the Gnupg-users mailing list