GPG problem with Tor RPM
Chris
chris at aktivix.org
Mon Mar 21 21:38:31 UTC 2005
Hi
On Mon 21-Mar-2005 at 04:04:13PM -0500, Roger Dingledine
wrote:
>
> My first guess is that you're failing to import my key
> into your rpm db.
Yeah, that was my first guess too :-)
> Have you gotten this working with other programs, and
> other keys?
Yes, most of them most of the time...
> Some versions of rpm are rumored to have bugs where rpm
> --import silently fails.
Yeah I remember hearing this somewhere also...
> I just repeated these steps on my FC1 machine, and it
> claims to be missing the key too. So it's not that it's
> getting a *bad* signature, it just fails to learn about
> the key.
I have tried on FC1 and FC3, same results.
> rpm -K works fine for me on my RC73 machine (where rpm
> actually uses gpg).
Ahh, interesting, perhaps we should check the Red Hat
bugzilla...
> In any case, I double-checked and the rpms available
> from tor.eff.org are still in fact the ones that I
> uploaded, so I think all is well on that front.
Yeah, I wasn't too woried about this ;-)
> This is why I've been pushing Jeff Moe (cc'ed) to handle
> our RPM distribution. I'm just winging it, and tend to
> put actual Tor development higher priority. :)
That sounds like a fine plan!
> > cd `rpm --eval '%{_sourcedir}'`
> >
> > wget http://tor.eff.org/dist/tor-0.0.9.5.tar.gz.asc
> >
> > gpg --verify tor-0.0.9.5.tar.gz.asc
> > gpg: Signature made Wed 23 Feb 2005 06:33:29 GMT using DSA key ID 28988BF5
> > gpg: BAD signature from "Roger Dingledine <arma at mit.edu>"
>
> Right, this is because our "make dist-rpm" builds its
> own tarball and then makes an rpm out of it. So it won't
> use the same tarball as is uploaded to the site.
Ah, I see.
> If anybody wants to submit a patch to make it use the
> official tarball, that would be great.
Well I'm sorry to say that I'm probably not up to doing
that...
Thanks
Chris
--
Aktivix -- Free Software for a Free World
More information about the tor-dev
mailing list