Before taking in the patch for the recent security advisory for vulnerability CVE-2008-5077, I want to verify its authenticity using GPG. However, I get this: *********** % (gpg --list-keys 89A36572 > /dev/null 2>&1 || gpg --recv-keys 89A36572) && gpg --verify openssl_dsa_advisory.asc gpg: Signature made Wed 07 Jan 2009 05:00:43 AM PST using RSA key ID F295C759 gpg: Can't check signature: public key not found
where "openssl_dsa_advisory.asc" used above contains the entire PGP-signed patch text *********** This is my gpgp setup: ----------------------- % gpg --list-public-keys ~/.gnupg/pubring.gpg --------------------------------- pub 1024D/89A36572 1999-12-12 uid OpenSSL Team Security Key (WARNING: SHARED KEY) < [email protected]> ------------------------------------ This is my first time doing this so I might be doing something wrong above. Is it the wrong shared key? Or do I need some additional GPG-related data?
