https://bugzilla.redhat.com/show_bug.cgi?id=1821120
Bob Hepple <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(bob.hepple@gmail. | |com) | --- Comment #4 from Bob Hepple <[email protected]> --- Hi Lyes, I've spent most of this morning studying up on the %gpgverify issue and I just can't get it to work. Note that AFAICS the .sig on the releases page does not refer to Source0 but to some arbitrary tarball wlogout.tar.gz that the author uploaded: $ ll wlogout-1.1.1.tar.gz wlogout.tar.gz -rw-rw-r--. 1 bhepple bhepple 540189 Apr 6 14:07 wlogout-1.1.1.tar.gz -rw-rw-r--. 1 bhepple bhepple 624640 Apr 20 11:39 wlogout.tar.gz Having downloaded the author's public key, it does not verify that file: $ gpgv --keyring ./gpg-key-F4FDB18A9937358364B276E9E25D679AF73C6D2F.gpg wlogout.tar.gz.sig wlogout.tar.gz gpgv: Signature made Sat 14 Mar 2020 15:37:44 AEST gpgv: using RSA key F4FDB18A9937358364B276E9E25D679AF73C6D2F gpgv: [don't know]: invalid packet (ctb=2d) gpgv: keydb_search failed: Invalid packet gpgv: [don't know]: invalid packet (ctb=2d) gpgv: keydb_search failed: Invalid packet gpgv: Can't check signature: No public key The wlogout.tar.gz does not actually download as a gzipped tarball but as a plain tarball - so it's pretty suspicious! In any case I think we want to be working with Source0 as that's a tarball generated by github from the repo automatically. Any ideas? -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
