search

tukaani-project / xz

XZ Utils
https://tukaani.org/xz/
Other
542 stars 101 forks source link

PGP Signatures no longer valid? (Unknown system error) #133

Closed JonathanWilbur closed 1 month ago

JonathanWilbur commented 1 month ago

I run 

curl -v https://github.com/tukaani-project/xz/releases/download/v5.6.2/xz-5.6.2.tar.gz -o xz.tar.gz
curl -v https://github.com/tukaani-project/xz/releases/download/v5.6.2/xz-5.6.2.tar.gz.sig -o xz.tar.gz.sig
gpg --verify xz.tar.gz.sig xz.tar.gz

And I get

gpg: verify signatures failed: Unknown system error

Am I doing something wrong?

JonathanWilbur commented 1 month ago

You can see the decoded PGP signature message here.

It appears to be well-formed.

JonathanWilbur commented 1 month ago

This is the PGP key I am using to verify the signature:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBEzEOZIBEACxg/IuXERlDB48JBWmF4NxNUuuup1IhJAJyFGFSKh3OGAO2Ard
sNuRLjANsFXA7m7P5eTFcG+BoHHuAVYmKnI3PPZtHVLnUt4pGItPczQZ2BE1WpcI
ayjGTBJeKItX3Npqg9D/odO9WWS1i3FQPVdrLn0YH37/BA66jeMQCRo7g7GLpaNf
IrvYGsqTbxCwsmA37rpE7oyU4Yrf74HT091WBsRIoq/MelhbxTDMR8eu/dUGZQVc
Kj3lN55RepwWwUUKyqarY0zMt4HkFJ7v7yRL+Cvzy92Ouv4Wf2FlhNtEs5LE4Tax
W0PO5AEmUoKjX87SezQK0f652018b4u6Ex52cY7p+n5TII/UyoowH6+tY8UHo9yb
fStrqgNE/mY2bhA6+AwCaOUGsFzVVPTbjtxL3HacUP/jlA1h78V8VTvTs5d55iG7
jSqR9o05wje8rwNiXXK0xtiJahyNzL97Kn/DgPSqPIi45G+8nxWSPFM5eunBKRl9
vAnsvwrdPRsR6YR3uMHTuVhQX9/CY891MHkaZJ6wydWtKt3yQwJLYqwo5d4DwnUX
CduUwSKv+6RmtWI5ZmTQYOcBRcZyGKml9X9Q8iSbm6cnpFXmLrNQwCJN+D3SiYGc
MtbltZo0ysPMa6Xj5xFaYqWk/BI4iLb2Gs+ByGo/+a0Eq4XYBMOpitNniQARAQAB
tCdMYXNzZSBDb2xsaW4gPGxhc3NlLmNvbGxpbkB0dWthYW5pLm9yZz6JAlEEEwEK
ADsCGwMCHgECF4AECwkIBwMVCggFFgIDAQAWIQQ2kMJAzlG0Zw0wrRw47nV9aRhG
IAUCZZwJyQUJGuHiNwAKCRA47nV9aRhGIE4qD/4jdFTe3WPpLgvz/jdlbnSZxr7q
OS6H/ZJFENHO4SbavXdoXLtj+t6/lqWq890Js8IpWaaiJLowzW1xJMEg99W6k0KD
3pHUbwPxf0GCSAt/W4JYxdTj+1ggdHjx5yBAmOakjnOH+ZDKQNBnDOI6ghf3ew+H
9z/b0mQX3rlQbtoqSPZtuDOdFcjCOSwEyqdV+9eNqnv2CoKZkiGoUB1WGCbqKUkY
KiUJ3WldmPQ5RQYjEi7zZWVac1VuwBA0XOku+W4cCJ5DnPyK7CtMwC84VvaodlOX
UAK3Y5BIZpZM2Rk6yMX5lFDA5nA8UuHJQRDjTVmh3BIdgRvp0ZV6ogtqNE7RifpW
aBWDIsCkimcbCJJM+edOLiVZog+ia1Ts8zu33wj7Tnvp5znLc8NLZIqwu1HKLS97
m+Yf5oC3ObTZtXbVF+OglWe/3ljLHdL2bJxNdtcVlChSNPUW3fgLHk9Fzrlnqdab
tSGwI/0Ryt00cKjRiMOagTn5Nly6boCtgGYdQafQoSrs3eQjnWVgbNYDMgPyl4k+
Q5RJLEY7AvtXo7FUEgOTfr9PWmjmc2JzGpxbtwl6sQi6yLrBZTRf1Xao2OjOje6G
XdUbXNmgOv16sWxcI0s4lX1z28BgHQfwXhBFBRjw2Sy+6TfFXjX24thcpMwvyJ3c
xhMtdY4N4jyfRjYe8LkCDQRMxDmSARAAv8XAp2PGA/G1KmCrVIzOBm1NPIuqGAYP
c1l9p0dYdhEgvfw0NXcl5MDv1jbOPZ2PspA8NP7Rqp6LNNXYTeM/eIJDndU5Phyi
ewFpACAp7Gmm2dL5PUOhu0gIUnQYbN/QdGPoo7bNI646K1Y9aVTBu9fszQssjb6G
qXHSNM+pskVn9lropO1tLrF0I9VSlSphlCmiQRlzBCZSnxD6UagkPaw1gJnJqnrd
f9oA6AIavZFdh104fl7y8bMZb6bC0K/5ZD0DLfmYaojkyqRtl3VBu6/ZvXrjsT9A
QS5x9EdVslUoYY+kUxQm1wi3LIi3mOj6v0IIvgKzjt0X/39E3C42+m8ddTKowFB1
Y1lEzHiT80YP9a+I+L2bqYgy6Lqs5CxI5qph1xRfg2rY6uvc5rPYk9B1R94jbeKi
3W8ryHG9QJBNXcd8mCGLM3qylWXTJA4oGITyaIlGCuMeKUfeFNvGijjbEOQ0Cr4J
CjdACbWJsPEoIOrRFxY+NwJEA39Dkyalyh2l0qTNXTIYhLiDuzl+tWuBX+SjHavj
9jGyvwr3T37gfzYCNMoZf8GaxAUJMCoGTqnsjTPGMion/DfdNkFDQ+fivdYiVQ9p
/Njpr38sC83V8dHF/1KkIHImyzMPTdC7l/lMHyC2Gx2dWZOjuOOKit0Qoy3DZoQw
vN1ZZND9M1UAEQEAAYkCPAQYAQoAJgIbDBYhBDaQwkDOUbRnDTCtHDjudX1pGEYg
BQJlnAmyBQka4eIgAAoJEDjudX1pGEYguyYQAJo+5SnMMdu+d70mWfUb9PZg7P5C
GRepHnckx9Sis5oR5s7NNl5j5Yy4J1UwsmrP+mn52ujqewkkVsCq65NGQQx7+tkw
uKGvnGBkHdrI+aJk86qLMf4DlnNJEmN8t5jTGQfRLbFVf2I8EY6qXAzCSmL9Zs++
rDUz65GOTB1EP0XmBRsuVYRfDbFezrPQH0JDucbXFi/2BDnl2/Mk9NBoQ0CvB4oG
tLDiQZ+jV7n1VXXJ1faD9s7i0hOTdcG6rlyIqi/LyAzdCnOYTkmv3U1kdmzkvrh1
KEiejnM5fj27RE2v191vh3hgZ+X5+uwjNTP0QC4qP8XykQOAA8usOMVZ72lyXCAk
wiUcRdrAXLN/XbIFNcQ3m4d3W6t60Gk09wFlUKaEltDMlPUsxiSG3qFwFGPBP6UV
h3mjJMAl1jltLrR7ybez0SczfrcAtdCsKTvgzV9W2TzUfK2R9PBanmXTXK2M7yU3
IquHt3Je4aSP7XYb5D+ajlbFNvnXOYcai8WryfC5nLAfV4MbPX+UlRaYCqqHVhut
gK93re1L5mMI3zjG5Ri5jLpUA9toSJCIJIY5zwr/8LL/ZL4TixXlouA17yjkpY/e
Bjs8cNj1O3aM4jY2FKCS8UbfxOiARk/5kBMRPEZ/mqpMQttzE8KVjOv6fRxy/eVE
888/gToe5kb8qYwy
=6rZC
-----END PGP PUBLIC KEY BLOCK-----
thesamesam commented 1 month ago

I see the same as you. I will look more.

JonathanWilbur commented 1 month ago

Well, this may have been my fault. It seems that you have to add the -L option to the curl commands:

curl -vL https://github.com/tukaani-project/xz/releases/download/v5.6.2/xz-5.6.2.tar.gz -o xz.tar.gz
curl -vL https://github.com/tukaani-project/xz/releases/download/v5.6.2/xz-5.6.2.tar.gz.sig -o xz.tar.gz.sig
gpg --verify xz.tar.gz.sig xz.tar.gz

It seems to work once you do that. Closing. Sorry to waste your time.

thesamesam commented 1 month ago

I was just about to post the same thing ;)