GPG problem with Tor RPM
Chris
chris at aktivix.org
Mon Mar 21 15:02:01 UTC 2005
Hi
I couldn't verify the RPMs using GPG:
rpm -K tor-0.0.9.5-tor.0.fc1.i386.rpm
tor-0.0.9.5-tor.0.fc1.i386.rpm: sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#28988bf5)
rpm -K tor-0.0.9.5-tor.0.fc1.src.rpm
tor-0.0.9.5-tor.0.fc1.src.rpm: sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#28988bf5)
I do have the gpg key installed -- I did this:
gpg --recv-key 0x28988bf5
gpg: key 28988BF5: duplicated user ID detected - merged
gpg: key 28988BF5: "Roger Dingledine <arma at mit.edu>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg --export --armor arma at mit.edu > tor.asc
rpm --import tor.asc
So I decided to install the SRPM and check the tgz, but
this is also not good:
rpm -Uvh tor-0.0.9.5-tor.0.fc1.src.rpm
warning: tor-0.0.9.5-tor.0.fc1.src.rpm: V3 DSA signature: NOKEY, key ID 28988bf5
1:tor ########################################### [100%]
cd `rpm --eval '%{_sourcedir}'`
wget http://tor.eff.org/dist/tor-0.0.9.5.tar.gz.asc
gpg --verify tor-0.0.9.5.tar.gz.asc
gpg: Signature made Wed 23 Feb 2005 06:33:29 GMT using DSA key ID 28988BF5
gpg: BAD signature from "Roger Dingledine <arma at mit.edu>"
However I then got the tgz from the site, checked the sig
OK and built my own RPM using that and it was OK.
Chris
--
Aktivix -- Free Software for a Free World
More information about the tor-dev
mailing list