NH., Friday, September 5, 2014, 9:01:00 PM, you wrote:
> Hi Alan, > I can't verify package with your provided key: > # gpg --verify trafficserver-5.1.0-rc0.tar.bz2.asc > gpg: Signature made Fri 05 Sep 2014 09:07:36 AM ICT using RSA key ID 94D96DE2 > gpg: Can't check signature: public key not found > # gpg --list-keys > /root/.gnupg/pubring.gpg > ------------------------ > pub 4096R/1DE00649 2014-08-27 [expires: 2019-08-26] > uid Alan M. Carroll <[email protected]> > sub 4096R/B32072E0 2014-08-27 [expires: 2019-08-26] > Am I missing something? Yes, there should be another sub key attached to 1DE00649. You can see it in the KEYS file - https://dist.apache.org/repos/dist/release/trafficserver/KEYS pub 4096R/1DE00649 2014-08-27 [expires: 2019-08-26] Key fingerprint = F918 A5D2 EDDF 5F7C 6AB6 7CB4 71C5 6709 1DE0 0649 uid Alan M. Carroll <[email protected]> sig 3 1DE00649 2014-08-27 Alan M. Carroll <[email protected]> sig ABAA2C9F 2014-09-04 Alan M. Carroll <[email protected]> sig 5D7BBC5A 2014-09-04 Leif Hedstrom (CODE SIGNING KEY) <[email protected]> sig B84508EC 2014-09-04 Bryan W. Call <[email protected]> sub 4096R/B32072E0 2014-08-27 [expires: 2019-08-26] sig 1DE00649 2014-08-27 Alan M. Carroll <[email protected]> sub 4096R/94D96DE2 2014-09-03 [expires: 2019-09-02] <-----------------| sig 1DE00649 2014-09-03 Alan M. Carroll <[email protected]> Or on the MIT public key server - http://pgp.mit.edu/pks/lookup?op=vindex&search=0x71C567091DE00649 I'm not sure how you got one of the subkeys but not the other.
