On 6/28/23 12:22, Arun Isaac wrote: > > Hi, > > Thanks for reporting this! The new signing key is mine. I joined the > skribilo team recently as a maintainer, and made the latest release. So, > I signed it with my key. But, I see this is probably not the best > idea. It would cause quite a lot of confusion everytime we have new > maintainers on the team. > > @Ludo: How should we best handle release signatures? Should we resign > the latest release with your key? > > Regards, > Arun Hi Arun, Thanks for maintaining Skribilo. Locally on my machine, get $ gpg2 --verify skribilo-0.10.0.tar.gz.sig gpg: assuming signed data in 'skribilo-0.10.0.tar.gz' gpg: Signature made Wed 08 Mar 2023 04:11:11 AM EAT gpg: using RSA key 7F730343F2F09F3C77BF79D32E25EE8B61802BB3 gpg: Good signature from "Arun I <[email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 7F73 0343 F2F0 9F3C 77BF 79D3 2E25 EE8B 6180 2BB3
$ gpg2 --verify skribilo-0.9.5.tar.gz.sig gpg: assuming signed data in 'skribilo-0.9.5.tar.gz' gpg: Signature made Sun 01 Nov 2020 08:31:29 PM EAT gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 gpg: Good signature from "Ludovic Courtès <[email protected]>" [unknown] gpg: aka "Ludovic Courtès <[email protected]>" [unknown] gpg: aka "Ludovic Courtès (Inria) <[email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 So it seems signed. However following: https://ftp.gnu.org/README $ gpgv --keyring ./gnu-keyring.gpg skribilo-0.10.0.tar.gz.sig skribilo-0.10.0.tar.gz gpgv: Signature made Wed 08 Mar 2023 04:11:11 AM EAT gpgv: using RSA key 7F730343F2F09F3C77BF79D32E25EE8B61802BB3 gpgv: Can't check signature: No public key $ gpgv --keyring ./gnu-keyring.gpg skribilo-0.9.5.tar.gz.sig skribilo-0.9.5.tar.gz gpgv: Signature made Sun 01 Nov 2020 08:31:29 PM EAT gpgv: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 gpgv: Good signature from "Ludovic Courtès <[email protected]>" gpgv: aka "Ludovic Courtès <[email protected]>" gpgv: aka "Ludovic Courtès (Inria) <[email protected]>" So it seems you need to have your key added to those in GNUs keyring. Not sure what the process for this is, but hopefully it can be done. Regards, Benson
