egtvedt
commented
6 months ago Did something change on https://www.alsa-project.org/wiki/Download ?
I re-downloaded alsa-utils-1.2.11.tar.bz2.sig, and now I can verify alsa-utils-1.2.11.tar.bz2 archive.
Bad signature file alsa-utils-1.2.11.tar.bz2.sig sha512sum 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97 God signature file alsa-utils-1.2.11.tar.bz2.sig sha512sum 2e931100ad1f08866ac1c500b920976309b6ef33bcd4b81da1807765253c705acd8dac4f7d6973c7b8a55de132834a5239c02b5f9ae355d0f43f40a1381bde7d
The bad signature file is 153 bytes, good signature file is 833 bytes.
I think I'll blame network problems on this one, closing from my end.
Hello, downloading alsa-utils-1.2.11.tar.bz2 from https://www.alsa-project.org/wiki/Download gives me a file with sha512sum 5ce76807b53357584bfb4ace5acfdac4db9168ffaf5cdd1e499738eec046c36112bf84a99970f66368063a9baf73bad93af2d439630572f3eba5c9321071172d
However, validating this archive against the GPG signing key with fingerprint F04D F507 37AC 1A88 4C4B 3D71 8380 596D A6E5 9C91 does not result in success. Signature file also downloaded from https://www.alsa-project.org/wiki/Download
Doing the above steps for alsa-lib-1.2.11.tar.bz2 archive is successful.
I looked at the diff between alsa-utils-1.2.11.tar.bz2 and git tag, and couldn't spot anything suspicious.
Could a maintainer please verify alsa-utils is properly signed, if not, refresh the signature file to match released binary?