having trouble checking the signature of a downloaded file

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Wed Feb 21 10:48:12 CET 2018

On 02/21/2018 10:37 AM, Henry wrote:
> I downloaded a tarball ***6.4.tar.gz, it's signature file
> ***6.4.tar.gz.sig, and the author's public key ******.pgp from a
> well-known site.
> I imported the public key: `gpg --import ******.pgp`.
> For some reason, two keys were "skipped":
>    gpg: key 0C0B590E80CA15A7: 2 signatures not checked due to missing keys
>    gpg: key 0C0B590E80CA15A7: "Author's Name <author at xxxxxx.org>
>    gpg: Total number processed: 3
>    gpg:     skipped PGP-2 keys: 2
	      note this and see below

>    gpg:              unchanged: 1
> I tried to verify the downloaded file, but the check failed:
> `gpg --verify ***6.4.tar.gz.sig ***6.4.tar.gz`
>    gpg: Signature made Tue May  4 23:03:11 2004 JST
>    gpg:                using RSA key DC80F2A6D5327CB9
>    gpg: Can't check signature: No public key

The above RSA key is in v3 format which is not supported in GnuPG >=2.1
for security reasons, hence not imported, and hence the output you see.

> This is the first time for this to happen, so I have no idea what I
> might be doing
> wrong.  Any help or suggestions much appreciated.  TIA

The author should sign the package using a more modern and secure keyblock.

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
Aut disce aut discede
Either learn or leave

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180221/ff820143/attachment.sig>

More information about the Gnupg-users mailing list