On 19/05/17 16:28, Jonathan K. Bullard wrote: > When I try to verify the signature on openvpn-2.3.16.tar.gz (using > openvpn-2.3.16.tar.gz.asc) from the "Downloads" page [1], I get the > following: > > gpg: assuming signed data in `XXX/openvpn-2.3.16.tar.gz' > gpg: Signature made Thu May 18 16:56:48 2017 EDT using RSA key ID > 8CC2B034 > gpg: Can't check signature: public key not found > > The signatures on openvpn-2.3.15.tar.gz (downloaded last week) and on > openvpn-2.4.2.tar.gz both verify fine. > > I think this is because Samuli's new key's ID is not 8CC2B034, it is > 40864578 (if I understand correctly what is meant by "ID".)
Samuli have an old key (0x198D22A3, RSA-1024) and a new key (0x40864578, RSA-2048). He have switched to the new key and prefers to use that one. We decided just a few days ago that we will switch to use the [email protected] key for signing the officially released tarballs. > Is 8CC2B034 the "Security mailing list GPGP key" on the "GnuPG Public > Key" page [2]? The proper key is: pub 4096R/0x12F5F7B42F2B01E7 2017-02-09 [expires: 2027-02-07] Key fingerprint = F554 A368 7412 CFFE BDEF E0A3 12F5 F7B4 2F2B 01E7 uid OpenVPN - Security Mailing List <[email protected]> Which can also be found here: <http://pgp.mit.edu/pks/lookup?op=get&search=0x12F5F7B42F2B01E7> > The link on that page to that key is broken (and includes > Javascript!). Yes! I discovered the same issue and reported it internally a couple of hours ago. I expect it to be fixed in not too long. -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
