Christopher Howard <[email protected]> writes: > Hi, I'm in the habit of checking release signatures before I install > from source. I see in the Download area there are signatures for each > of the Guile releases, but I can't seem to find the right public key. I > imported the project key chain and then (re?)important the keys listed > for each of the project admins, but no luck.
Hello, I think the key is revoked because the key owner (Andy Wingo)'s laptop is stolen: alexvong1995@debian:/tmp$ LC_ALL=C torsocks gpg --verify guile-2.2.2.tar.xz.sig guile-2.2.2.tar.xz gpg: Signature made Fri Apr 21 22:33:48 2017 CST gpg: using RSA key FF478FB264DE32EC296725A3DDC0F5358812F8F2 gpg: Good signature from "Andy Wingo <[email protected]>" [unknown] gpg: aka "Andy Wingo <[email protected]>" [unknown] gpg: aka "Andy Wingo <[email protected]>" [unknown] gpg: WARNING: This key has been revoked by its owner! gpg: This could mean that the signature is forged. gpg: reason for revocation: Key has been compromised gpg: revocation comment: Laptop stolen 7 August 2017. gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: FF47 8FB2 64DE 32EC 2967 25A3 DDC0 F535 8812 F8F2
signature.asc
Description: PGP signature
