Re: Bug fix release to address broken nib loading...

Mon, 10 Jun 2024 15:25:45 -0700 

Hi,

Yavor Doganov wrote:

Thanks for making a new release; this kind of regression is certainly
important enough to warrant it.

I don't know what went wrong but it looks like the signature at
ftp.gnustep.org  is bad:

$ gpg --verify --verbose gnustep-gui-0.31.1.tar.gz.sig
gpg: enabled compatibility flags:
gpg: assuming signed data in 'gnustep-gui-0.31.1.tar.gz'
gpg: Signature made  6.06.2024 (чт) 12:39:51 EEST
gpg:                using DSA key 83AAE47CE829A4146EF83420CA868D4C99149679
gpg:                issuer"[email protected]"
gpg: using pgp trust model
gpg: BAD signature from "GNUstep Maintainer<[email protected]>" 
[unknown]
gpg: binary signature, digest algorithm SHA1, key algorithm dsa1024

For Debian it doesn't matter much because even a good signature is
rejected by current dpkg:

dpkg-source: info: verifying ./gnustep-base_1.30.0.orig.tar.gz.asc
gpgv: Signature made Wed May 29 19:34:34 2024 UTC
gpgv:                using DSA key 83AAE47CE829A4146EF83420CA868D4C99149679
gpgv:                issuer"[email protected]"
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: Can't check signature: Bad public key
dpkg-source: warning: cannot verify upstream tarball signature for 
./gnustep-base_1.30.0.orig.tar.gz: no acceptable signature found

I'm pretty sure I told Ivan about this some time ago.  (It's not a
problem that impedes our work but would be nice to fix in the near
future.)
Richard made the release... so I wonder how it was signed? I don't know if it was done with gnustep make or github. 
Does it verify for you, Richard?

The note says it has been signed with

|83AA E47C E829 A414 6EF8 3420 CA86 8D4C 9914 9679|

If I manually run gpg:

(moria:~/Downloads) multix%  gpg --verify gnustep-gui-0.31.1.tar.gz.sig
gpg: assuming signed data in 'gnustep-gui-0.31.1.tar.gz'
gpg: Signature made Thu Jun  6 11:39:51 2024 CEST
gpg:                using DSA key 83AAE47CE829A4146EF83420CA868D4C99149679
gpg:                issuer "[email protected]"
gpg: Can't check signature: No public key

It fails with your message. The key used is correct though.

Riccardo

PS:
Gorm didn't have a signature file, so I didn't upload it to ftp.

Reply via email to