BAD signature for 3.7.1 platform downloads (vayu)

[el-christianito]

• [x] I am running an official build of TWRP, downloaded from https://twrp.me/Devices/
• [x] I am running the latest version of TWRP
• [x] I have read the FAQ (https://twrp.me/FAQ/)
• [x] I have searched for my issue and it does not already exist

Device codename: vayu TWRP version: 3.7.1_12-0

WHAT STEPS WILL REPRODUCE THE PROBLEM?

Download .img and corresponding .img.asc files (using FireFox or wget) from:

• https://eu.dl.twrp.me/vayu/
• https://dl.twrp.me/vayu/

WHAT IS THE EXPECTED RESULT?

Running gpg --verify *.img.asc returns: Good signature from "TeamWin admin@teamw.in"

WHAT HAPPENS INSTEAD?

Instead, the result is: BAD signature from "TeamWin admin@teamw.in"

ADDITIONAL INFORMATION

Earlier builds (e.g. 3.7.0_12-0) had correct signatures. Sha256sum matches.

Please check whether the file has been corrupted or if something went wrong in the signing process. Currently, there's no guarantee that the files are really created and uploaded by TWRP instead of a malicious actor.

[spongy-deluxe]

In addition, I can say that the same issue exists for a72q and several other devices. Furthermore, I have randomly selected some other devices and got the exact same errors.

gpg -v --verify twrp-3.7.1_12-0-a72q.img.asc twrp-3.7.1_12-0-a72q.img
gpg: Signature made Sat Feb 17 19:52:24 2024 CET
gpg:                using RSA key 95707D42307C9D41D09BF7091D8597D7891A43DF
gpg: using pgp trust model
gpg: BAD signature from "TeamWin <admin@teamw.in>" [unknown]
gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096

@bigbiff Is this perhaps a reiteration of similar issues like: https://github.com/TeamWin/Team-Win-Recovery-Project/issues/1269#issuecomment-406828903

---

EDIT: As a comparison I checked some older image that I had laying around. It works and prints the primary key fingerprint.

$ gpg -v --verify twrp-3.7.0_12-0-payton.img.asc 

gpg: assuming signed data in 'twrp-3.7.0_12-0-payton.img'
gpg: Signature made Tue Oct 18 02:14:58 2022 CEST
gpg:                using RSA key 95707D42307C9D41D09BF7091D8597D7891A43DF
gpg: using pgp trust model
gpg: Good signature from "TeamWin <admin@teamw.in>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9570 7D42 307C 9D41 D09B  F709 1D85 97D7 891A 43DF
gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096

[bigbiff]

Thanks for the report. I went through all the bad keys and have them re-generated. Sometimes there is a bug in the generation process.