Digital archeology -- verifying a signed Usenet message from 1995
Lars Noodén
lars.nooden at gmx.com
Tue May 19 17:33:33 CEST 2026
On 5/18/26 05:30, Jacob Bachmeyer wrote:
> Found your problem: the signature is from key 961F4A35 but you only
> have key DCB9AE01. "Go fish"---you will need the public key with ID
> 961F4A35 to verify that signature.
Thanks. I think I've been able to track down what might be the correct
public key ID 961F4A35:
https://web.archive.org/web/19970603193401/http://www.cs.hut.fi/ssh/ylo-key
Though I had to use the --allow-non-selfsigned-uid option to import it.
$ gpg1 --list-keys
/home/me/.gnupg/pubring.gpg
-----------------------------
gpg: Note: signatures using the MD5 algorithm are rejected
pub 1024R/961F4A35 1995-01-23
uid Tatu Ylonen <ylo at cs.hut.fi>
I've looked at the part of the GnuPG documentation which covers
signature verification, and the matching article:
https://www.gnupg.org/gph/en/manual/x135.html
https://www.gnupg.org/blog/20251226-cleartext-signatures.html
And I followed the instructions there. Oddly, gpg1 complains about the
public key:
$ gpg1 --verify message.usenet
gpg: Signature made Wed 12 Jul 1995 05:50:42 PM EEST using RSA key ID
961F4A35
gpg: Note: signatures using the MD5 algorithm are rejected
gpg: Can't check signature: bad public key
Even if I split out the signature into a second file, I still get a "bad
public key" error with the detached signature:
$ sed -n -e '/BEGIN PGP SIGNATURE/,/END PGP SIGNATURE/p' \
message.usenet | tee message.sig
$ gpg1 --verify message.sig message.usenet
gpg: Signature made Wed 12 Jul 1995 05:50:42 PM EEST using RSA key ID
961F4A35
gpg: Note: signatures using the MD5 algorithm are rejected
gpg: Can't check signature: bad public key
At least it's not the "public key not found" error.
What have I missed? Do I need an older version of GPG1?
/Lars
More information about the Gnupg-users
mailing list