Don't know why my first email did not go through. Resending the email below...
---------- Forwarded message ---------- From: Vineet Kumar <vineet.ku...@gmail.com> Date: Thu, Jan 8, 2009 at 10:22 AM Subject: GPG verification of patch vulnerability CVE-2008-5077.. To: openssl-dev@openssl.org Before taking in the patch for the recent security advisory for vulnerability CVE-2008-5077, I want to verify its authenticity using GPG. However, I get this: *********** % (gpg --list-keys 89A36572 > /dev/null 2>&1 || gpg --recv-keys 89A36572) && gpg --verify openssl_dsa_advisory.asc gpg: Signature made Wed 07 Jan 2009 05:00:43 AM PST using RSA key ID F295C759 gpg: Can't check signature: public key not found where "openssl_dsa_advisory.asc" used above contains the entire PGP-signed patch text *********** This is my gpgp setup: ----------------------- % gpg --list-public-keys ~/.gnupg/pubring.gpg --------------------------------- pub 1024D/89A36572 1999-12-12 uid OpenSSL Team Security Key (WARNING: SHARED KEY) < openssl-secur...@openssl.org> ------------------------------------ This is my first time doing this so I might be doing something wrong above. Is it the wrong shared key? Or do I need some additional GPG-related data?
