At both <ftp://ftp.openssl.org/source/> and <http://openssl.org/source>, the "openssl-0.9.8f.tar.gz.sha1" file does not match the actual SHA1 checksum of "openssl-0.9.8f.tar.gz". (The MD5 sum is ok.)
Also, the "openssl-0.9.8f.tar.gz.asc" file is a binary PGP signature and not, as the name implies, an ASCII signature. Older *.asc files in the same directory have been ASCII PGP signatures, generated by GnuPG (at least the ones I've checked). Using a binary signature file is ok, but the suffix should be ".sig", not ".asc". Finally, the signature was generated using a key with ID 2719AF35. It appears to be Ben Laurie's key, but according to <http://openssl.org/about/>, his key has an ID of 2118CF83. Since OpenSSL 0.9.8f is a security bugfix release, it's important to be able to verify its integrity. -- Keith Thompson <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
