[Libosinfo] libosinfo signatures
Guido Günther
agx at sigxcpu.org
Thu Apr 11 10:20:40 UTC 2019
Hi,
On Thu, Apr 11, 2019 at 11:39:51AM +0200, Fabiano Fidêncio wrote:
> Guido,
>
> On Thu, Apr 11, 2019 at 11:10 AM Guido Günther <agx at sigxcpu.org> wrote:
> >
> > Hi,
> > Older libosinfo releases were signed with Daniel's key:
> >
> > $ gpg --verify libosinfo_1.2.0.orig.tar.gz.asc
> > gpg: assuming signed data in 'libosinfo_1.2.0.orig.tar.gz'
> > gpg: Signature made Mi 20 Jun 2018 11:46:42 CEST
> > gpg: using RSA key 0xBE86EBB415104FDF
> > gpg: Good signature from "Daniel P. Berrange <dan at berrange.com>" [unknown]
> > gpg: aka "Daniel P. Berrange <berrange at redhat.com>" [unknown]
> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg: There is no indication that the signature belongs to the owner.
> > Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF
> >
> > And this key can be found on keyservers
> >
> > https://pgp.surfnet.nl/pks/lookup?search=0xBE86EBB415104FDF&fingerprint=on&op=index
> >
> > 1.4.0 seems to use a different key
> >
> > $ gpg --verify libosinfo-1.4.0.tar.gz.asc
> > gpg: assuming signed data in 'libosinfo-1.4.0.tar.gz'
> > gpg: Signature made Fr 01 Mär 2019 17:01:14 CET
> > gpg: using RSA key 09B9C8FF223EF113AFA06A39EE926C2BDACC177B
> > gpg: Can't check signature: No public key
> >
> > However i can't find that key on keyservers nor mentioned on
> > https://libosinfo.org/ nor at https://releases.pagure.org/libosinfo/.
> >
> > Can you point me to the signing key?
>
> Hmm. That's my fault.
> I've added the whole fingerprint, while I should have just added 0xDACC177B
> Note taken for the next release.
>
> Here's the link for the key:
> http://hkps.pool.sks-keyservers.net/pks/lookup?search=0xDACC177B&fingerprint=on&op=index
Thanks! It'd be nice to have the signing keys in upstreams upstream git
or somewhere prominent so one does not need to go hunting for it.
Cheers,
-- Guido
More information about the Libosinfo
mailing list