On 3/14/10 3:35 PM, Lasse Kliemann wrote: > * Message by -Raymond Toy- from Sun 2010-03-14: > > > I meant only users, not developers. Of course you care. But these > tarballs have been online for months and obviously I am the first > user to notice that their signatures cannot be verified. > I confess that I rarely, if ever, very the signatures of tarballs that I download. > Yes, I can try the snapshot. I did so yesterday night, but could > also not download one of the keys used to sign them. Today it > works. I've got the files (SHA1 again): > I uploaded my key to subkeys.pgp.net late yesterday. > da85bd1b4390a913075c9213e6ac237b40496de1 > cmucl-2010-03-sparcv9-solaris10.tar.bz2 > 3bdc7debb828b3bcf4639976e6de72ece85d6437 cmucl-2010-03-x86-linux.tar.bz2 > 71ee45f7ae248ec1aa9e387f1f9cf2ef7022719c cmucl-src-2010-03.tar.bz2 >
Those match what I get on my master copies. > They have good signatures made with keys > > 1D48 9A97 8199 21A0 97EE 297D 2792 2352 6819 3BB2 > > and > > 0EF5 0ED5 5514 BFF6 B72B 9DAC 06CE 3819 086C 750B > I wonder why there were two keys used? I think I need to be consistent and sign the tarballs all on one machine (or copy my keys to the appropriate machines). Thanks for testing these! Ray
