On 9 Apr 2014, at 4:12 PM, Jakob Bohm wrote:
> Attention: The .asc file I downloaded directly from openssl.org for the 
> 1.0.1g tarball was signed with a key NOT authorized by the fingerprints.txt 
> file distributed in previous tarballs, nor by the (unverifiable) 
> fingerprints.txt available from
>   http://www.openssl.org/docs/misc/
> Specifically, it was signed by a PGP key purporting to belong to Dr. Henson, 
> but with a different identifier and a different e-mail address
> than the authorized key listed for him in fingerprints.txt.
> I suspect this is just a mixup at your end, but one cannot feel too
> sure without a valid file signature consistent with the securely distributed 
> signature list.

I also noticed this--- previous tarballs were all signed by the F295C759 key 
(fingerprint ending in D57EE597), but this announcement and the 1.0.1g tarball 
were both signed by the FA40E9E2 key. However, the new key (all three of its 
userids) *is* signed by the old key, so there is I think some assurance that 
the new key also belongs to Dr Stephen Henson and that the release is 

OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to