akheron
commented
1 year ago Hi, and thanks for the message! Where did you get the files?
I downloaded them now from the GitHub releas page and they verify correctly:
$ gpg --verify jansson-2.14.tar.bz2.asc
gpg: assuming signed data in 'jansson-2.14.tar.bz2'
gpg: Signature made To 9 Syy 21:19:50 2021 EEST
gpg: using RSA key B5D6953E6D5059ED7ADA0F2FD3657D24D058434C
gpg: Good signature from "Petri Lehtinen <petri@digip.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B5D6 953E 6D50 59ED 7ADA 0F2F D365 7D24 D058 434C
$ gpg --verify jansson-2.14.tar.gz.asc
gpg: assuming signed data in 'jansson-2.14.tar.gz'
gpg: Signature made To 9 Syy 21:19:50 2021 EEST
gpg: using RSA key B5D6953E6D5059ED7ADA0F2FD3657D24D058434C
gpg: Good signature from "Petri Lehtinen <petri@digip.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B5D6 953E 6D50 59ED 7ADA 0F2F D365 7D24 D058 434C
$ md5sum jansson-2.14.tar.{bz2,gz}
3f90473d7d54ebd1cb6a2757396641df jansson-2.14.tar.bz2
6cbfc54c2ab3b4d7284e188e185c2b0b jansson-2.14.tar.gz(The warnings about missing trust records is because I'm not on the machine I use for signing.)
Hi, I'm following the Linux from Scratch tutorial and trying to keep up with verifying the signatures of my downloads.
It seems like a bit might have flipped or something:
Also, the MD5 they show here doesn't seem to be correct: https://www.linuxfromscratch.org/blfs/view/stable-systemd/general/jansson.html
Just making you aware in case this is actually a bigger issue...