[tor-talk] TBB 3.5.3 signatures messing
unknown
unknown at pgpru.com
Thu Mar 20 16:46:02 UTC 2014
I download the files:
https://www.torproject.org/dist/torbrowser/3.5.3/sha256sums.txt
https://www.torproject.org/dist/torbrowser/3.5.3/sha256sums.txt-mikeperry.asc
https://www.torproject.org/dist/torbrowser/3.5.3/tor-browser-linux64-3.5.3_en-US.tar.xz.asc
https://www.torproject.org/dist/torbrowser/3.5.3/tor-browser-linux64-3.5.3_en-US.tar.xz
Previous version files are missing:
sha256sums.txt-erinn.asc
sha256sums.txt-linus.asc
I run the script:
########
#! /bin/bash
echo "" | cat - > file.txt
sha256sum -c sha256sums.txt 2>&1 | grep OK >> file.txt
echo >> file.txt
for a in sha256*.asc ; do
gpg --verify $a sha256sums.txt >> file.txt 2>&1 ;
echo >> file.txt
done
echo >> file.txt
gpg --verify tor-browser-linux64*.asc >> file.txt 2>&1
echo >> file.txt
#########
Running less file.txt I can see a singnatures mess:
gpg: Signature made Wed 19 Mar 2014 09:25:30 PM MSK using RSA key ID 63FEE659
gpg: Good signature from "Erinn Clark <erinn at torproject.org>"
gpg: aka "Erinn Clark <erinn at debian.org>"
gpg: aka "Erinn Clark <erinn at double-helix.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659
gpg: Signature made Wed 19 Mar 2014 09:26:01 PM MSK using RSA key ID 63FEE659
gpg: Good signature from "Erinn Clark <erinn at torproject.org>"
gpg: aka "Erinn Clark <erinn at debian.org>"
gpg: aka "Erinn Clark <erinn at double-helix.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659
I check "mikeperry" signature manually:
gpg --verify sha256sums.txt-mikeperry.asc sha256sums.txt
gpg: Signature made Wed 19 Mar 2014 09:25:30 PM MSK using RSA key ID 63FEE659
gpg: Good signature from "Erinn Clark <erinn at torproject.org>"
gpg: aka "Erinn Clark <erinn at debian.org>"
gpg: aka "Erinn Clark <erinn at double-helix.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE
E659
Why Mike Perry signature displayed as Erinn?
Where is the other signatures?
More information about the tor-talk
mailing list