On 11/29/18, Craig Small <csm...@debian.org> wrote: > Hi Lee, > The point is the GPG key found on the net-snmp website has the wrong key.
I just did a not-so-quik-test moving my existing gnupg info out of the way and you're right - I can't get from the key on their web page to a key that verifies the package just by refreshing keys. > I can quite easily download the key off the keyserver but the point is not > that someone signed the package using some random key uploaded to a > keyserver, but it was signed by the correct key. For better or worse, the > only way of determining the correct key is to trust the net-snmp website > which says "we use this key". You can look here: https://github.com/net-snmp/net-snmp/commit/454212142ed531cf842703831a187177e27923fa do a $ gpg --recv-keys ACB19FD6 at which point $ gpg --verify net-snmp-5.8.tar.gz.asc net-snmp-5.8.tar.gz gpg: Signature made Mon, Jul 16, 2018 10:33:52 AM EDT gpg: using RSA key 0xF07B9D2DACB19FD6 gpg: Good signature from "Net-SNMP Administrators <net-snmp-adm...@lists.sourceforge.net>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D0F8 F495 DA61 60C4 4EFF BF10 F07B 9D2D ACB1 9FD6 ^shrug^ it'd be better if they fixed their net-snmp-admin PGP key download link tho Regards, Lee > > - Craig > > > On Fri, 30 Nov. 2018, 08:44 Lee <ler...@gmail.com wrote: > >> On 11/27/18, Craig Small <csm...@debian.org> wrote: >> > Hi, >> > The 5.8 tarball is signed with one key and the GPG key available on >> your >> > website is another. >> > I assume that its just you using a new key, but for now I won't be >> updating >> > the Debian packages until I'm sure they're ok. >> >> Maybe you need to refresh your keys? >> $ gpg --refresh-keys "Net-SNMP Administrators >> <net-snmp-adm...@lists.sourceforge.net>" >> >> All these show as expired >> > $ gpg net-snmp-admin.asc >> > gpg: WARNING: no command supplied. Trying to guess what you mean ... >> > pub dsa1024 2003-01-15 [SCA] [expired: 2006-01-14] >> > F8AAF6915F859170B6E14DCFACCB65FD7800FEAC >> > uid Net-SNMP Administrators <net-snmp-ad...@lists.sourceforge.net> >> > sub elg1024 2003-01-15 [E] [expired: 2006-01-14] >> > pub dsa1024 2006-01-17 [SC] [expired: 2009-01-16] >> > 2B118A084EAAA4F068D9DB80D433A441FFEF09D7 >> > uid Net-SNMP Administrators <net-snmp-ad...@lists.sourceforge.net> >> > sub elg4096 2006-01-17 [E] [expired: 2009-01-16] >> > pub dsa1024 2008-07-18 [SC] [expired: 2011-07-18] >> > A3D28987986266F80C577A5F945B5DBA317F8F64 >> > uid Net-SNMP Administrators <net-snmp-adm...@lists.sourceforge.net> >> > sub elg4096 2008-07-18 [E] [expired: 2011-07-18] >> > pub rsa4096 2011-06-02 [SC] [expired: 2014-06-01] >> > 8AAA779B597B405BBC329B6376CF47B8A77C5329 >> > uid Net-SNMP Administrators <net-snmp-ad...@lists.sourceforge.net> >> > sub rsa4096 2011-06-02 [E] [expired: 2014-06-01] >> >> I have a non-expired one in my keyring: >> $ gpg --list-keys "Net-SNMP Administrators >> <net-snmp-adm...@lists.sourceforge.net>" >> pub 1024D/0x945B5DBA317F8F64 2008-07-18 [expired: 2011-07-18] >> Key fingerprint = A3D2 8987 9862 66F8 0C57 7A5F 945B 5DBA 317F >> 8F64 >> uid Net-SNMP Administrators >> <net-snmp-adm...@lists.sourceforge.net> >> >> pub 4096R/0x7D5F9576E0F81533 2014-07-23 [expired: 2017-07-22] >> Key fingerprint = 27CA A4A3 2E37 1383 A33E D058 7D5F 9576 E0F8 >> 1533 >> uid Net-SNMP Administrators >> <net-snmp-adm...@lists.sourceforge.net> >> >> pub 4096R/0xF07B9D2DACB19FD6 2017-10-29 [expires: 2022-10-28] >> Key fingerprint = D0F8 F495 DA61 60C4 4EFF BF10 F07B 9D2D ACB1 >> 9FD6 >> uid Net-SNMP Administrators >> <net-snmp-adm...@lists.sourceforge.net> >> sub 4096R/0x830BDF8C2945FFAC 2017-10-29 [expires: 2022-10-28] >> >> >> which verifies: >> $ gpg --verify net-snmp-5.8.tar.gz.asc net-snmp-5.8.tar.gz >> gpg: Signature made Mon, Jul 16, 2018 10:33:52 AM EDT >> gpg: using RSA key 0xF07B9D2DACB19FD6 >> gpg: Good signature from "Net-SNMP Administrators >> <net-snmp-adm...@lists.sourceforge.net>" >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to the >> owner. >> Primary key fingerprint: D0F8 F495 DA61 60C4 4EFF BF10 F07B 9D2D ACB1 >> 9FD6 >> >> >> > $ gpg --verify net-snmp-5.8.tar.gz.asc net-snmp-5.8.tar.gz >> > gpg: Signature made Tue 17 Jul 2018 00:33:52 AEST >> > gpg: using RSA key F07B9D2DACB19FD6 >> > gpg: Can't check signature: No public key >> > -- >> > Craig Small https://dropbear.xyz/ csmall at : >> dropbear.xyz >> > Debian GNU/Linux https://www.debian.org/ csmall at : >> > debian.org >> > Mastodon: @smalls...@social.dropbear.xyz Twitter: >> > @smallsees >> > GPG fingerprint: 5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 >> > FEA5 >> >> Lee >> > _______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
