zdohnal
commented
2 years ago Hi @fenrus75 ,
what command do you use for verification?
I've checked the signatures like this:
$ gpg --verify system-config-printer-1.5.18.tar.xz.asc system-config-printer-1.5.18.tar.xz
...
gpg: Good signature from "Zdenek Dohnal (The old 4D4227D7 key revoked) <zdohnal@redhat.com>" [ultimate]
$ gpg --verify system-config-printer-1.5.18.tar.bz2.asc system-config-printer-1.5.18.tar.bz2
...
gpg: Good signature from "Zdenek Dohnal (The old 4D4227D7 key revoked) <zdohnal@redhat.com>" [ultimate]
$ gpg --verify system-config-printer-1.5.18.tar.gz.asc system-config-printer-1.5.18.tar.gz
...
gpg: Good signature from "Zdenek Dohnal (The old 4D4227D7 key revoked) <zdohnal@redhat.com>" [ultimate]
as part of distro automation we check gpg signatures on upstream sources and for the 1.5.18 release we get gpg complaining:
Exception: gpg: keybox '/tmp/tmp.gpghomeimk3m5kc/pubring.kbx' created gpg: key E4522DCC9B246FF7: no valid user IDs gpg: this may be caused by a missing self-signature gpg: Total number processed: 1 gpg: w/o user IDs: 1
Can this be looked into? I wouldn't want to ship a package that is signed but fails its signature obviously