GPG problem with Tor RPM

Chris chris at aktivix.org
Mon Mar 21 15:02:01 UTC 2005


Hi

I couldn't verify the RPMs using GPG:

  rpm -K tor-0.0.9.5-tor.0.fc1.i386.rpm
  tor-0.0.9.5-tor.0.fc1.i386.rpm: sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#28988bf5) 

  rpm -K tor-0.0.9.5-tor.0.fc1.src.rpm 
  tor-0.0.9.5-tor.0.fc1.src.rpm: sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#28988bf5) 

I do have the gpg key installed -- I did this:

  gpg --recv-key 0x28988bf5
  gpg: key 28988BF5: duplicated user ID detected - merged
  gpg: key 28988BF5: "Roger Dingledine <arma at mit.edu>" not changed
  gpg: Total number processed: 1
  gpg:              unchanged: 1

  gpg --export --armor arma at mit.edu > tor.asc

  rpm --import tor.asc

So I decided to install the SRPM and check the tgz, but
this is also not good:

  rpm -Uvh tor-0.0.9.5-tor.0.fc1.src.rpm 
  warning: tor-0.0.9.5-tor.0.fc1.src.rpm: V3 DSA signature: NOKEY, key ID 28988bf5
   1:tor ########################################### [100%]

  cd `rpm --eval '%{_sourcedir}'`

  wget http://tor.eff.org/dist/tor-0.0.9.5.tar.gz.asc

  gpg --verify tor-0.0.9.5.tar.gz.asc 
  gpg: Signature made Wed 23 Feb 2005 06:33:29 GMT using DSA key ID 28988BF5
  gpg: BAD signature from "Roger Dingledine <arma at mit.edu>"
  
However I then got the tgz from the site, checked the sig
OK and built my own RPM using that and it was OK.

Chris

-- 
Aktivix -- Free Software for a Free World



More information about the tor-dev mailing list