On 6/28/23 15:31, Benson Muite wrote: > On 6/28/23 12:22, Arun Isaac wrote: >> >> Hi, >> >> Thanks for reporting this! The new signing key is mine. I joined the >> skribilo team recently as a maintainer, and made the latest release. So, >> I signed it with my key. But, I see this is probably not the best >> idea. It would cause quite a lot of confusion everytime we have new >> maintainers on the team. >> >> @Ludo: How should we best handle release signatures? Should we resign >> the latest release with your key? >> >> Regards, >> Arun > Hi Arun, > Thanks for maintaining Skribilo. Locally on my machine, get > $ gpg2 --verify skribilo-0.10.0.tar.gz.sig > gpg: assuming signed data in 'skribilo-0.10.0.tar.gz' > gpg: Signature made Wed 08 Mar 2023 04:11:11 AM EAT > gpg: using RSA key 7F730343F2F09F3C77BF79D32E25EE8B61802BB3 > gpg: Good signature from "Arun I <[email protected]>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 7F73 0343 F2F0 9F3C 77BF 79D3 2E25 EE8B 6180 2BB3 > > $ gpg2 --verify skribilo-0.9.5.tar.gz.sig > gpg: assuming signed data in 'skribilo-0.9.5.tar.gz' > gpg: Signature made Sun 01 Nov 2020 08:31:29 PM EAT > gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 > gpg: Good signature from "Ludovic Courtès <[email protected]>" [unknown] > gpg: aka "Ludovic Courtès <[email protected]>" [unknown] > gpg: aka "Ludovic Courtès (Inria) > <[email protected]>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 > > So it seems signed. However following: > https://ftp.gnu.org/README > > $ gpgv --keyring ./gnu-keyring.gpg skribilo-0.10.0.tar.gz.sig > skribilo-0.10.0.tar.gz > gpgv: Signature made Wed 08 Mar 2023 04:11:11 AM EAT > gpgv: using RSA key 7F730343F2F09F3C77BF79D32E25EE8B61802BB3 > gpgv: Can't check signature: No public key > > $ gpgv --keyring ./gnu-keyring.gpg skribilo-0.9.5.tar.gz.sig > skribilo-0.9.5.tar.gz > gpgv: Signature made Sun 01 Nov 2020 08:31:29 PM EAT > gpgv: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 > gpgv: Good signature from "Ludovic Courtès <[email protected]>" > gpgv: aka "Ludovic Courtès <[email protected]>" > gpgv: aka "Ludovic Courtès (Inria) > <[email protected]>" > > So it seems you need to have your key added to those in GNUs keyring. > Not sure what the process for this is, but hopefully it can be done. > > Regards, > Benson > Arun,
The keys from https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x7f730343f2f09f3c77bf79d32e25ee8b61802bb3 https://systemreboot.net/about/arunisaac.pub Work, but the key from https://keys.openpgp.org/vks/v1/by-fingerprint/7F730343F2F09F3C77BF79D32E25EE8B61802BB3 had an error when doing the verification. Benson
