<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style data-premailer="ignore" type="text/css">

a { color: #1068bf; }

</style>

<style>img {

max-width: 100%; height: auto;

}

body {

font-size: 0.875rem;

}

body {

-webkit-text-shadow: rgba(255,255,255,0.01) 0 0 1px;

}

body {

font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Noto Sans", Ubuntu, Cantarell, "Helvetica Neue", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; font-size: inherit;

}

</style>

</head>

<body style='font-size: inherit; -webkit-text-shadow: rgba(255,255,255,0.01) 0 0 1px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Noto Sans", Ubuntu, Cantarell, "Helvetica Neue", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";'>

<div class="content">

<p style="color: #777777;">

<a href="https://gitlab.com/atsampson" style="color: #1068bf;">Adam Sampson</a>

<a href="https://gitlab.com/gnutls/gnutls/-/issues/1407#note_1118249186" style="color: #1068bf;">commented</a>:

</p>

<div class="md" style="color: #303030; word-wrap: break-word;">

<p dir="auto" style="color: #303030; margin: 0;" align="initial">One downside of multiple signatures with the 3.7.8 release: one of the signatures on the tarball is from Alexander Sosedkin, whose key isn't in the <a href="https://www.gnutls.org/gnutls-release-keyring.gpg" rel="nofollow noreferrer noopener" target="_blank" style="color: #1068bf; margin-top: 0;">release keyring</a> linked from the download page (and isn't listed on the <a href="https://www.gnutls.org/contrib.html" rel="nofollow noreferrer noopener" target="_blank" style="color: #1068bf;">maintainers page</a>). So, as a packager, when I import the keyring with GnuPG and then try to verify the tarball's signature, it fails because one of the signatures can't be verified even though the other two are OK. It'd be good to check that the keyring is up to date as part of the release process.</p>

</div>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #666;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1407#note_1118249186" style="color: #1068bf;">view it on GitLab</a>.

<br>

You're receiving this email because of your account on <a target="_blank" rel="noopener noreferrer" href="https://gitlab.com" style="color: #1068bf;">gitlab.com</a>. <a href="https://gitlab.com/-/sent_notifications/2d0ca00494a03e2277aaa2e9a149ff1a/unsubscribe" target="_blank" rel="noopener noreferrer" style="color: #1068bf;">Unsubscribe</a> from this thread · <a href="https://gitlab.com/-/profile/notifications" target="_blank" rel="noopener noreferrer" class="mng-notif-link" style="color: #1068bf;">Manage all notifications</a> · <a href="https://gitlab.com/help" target="_blank" rel="noopener noreferrer" class="help-link" style="color: #1068bf;">Help</a>

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1407#note_1118249186"}}</script>

</p>

</div>

</body>

</html>