Discussion:
[Opendnssec-user] Signature of SoftHSM 2.3.0 release tarball
Jaroslav Imrich
2017-07-04 19:54:21 UTC
Permalink
Hello,

I am having trouble verifying signature of SoftHSM 2.3.0 release tarball.
Previous releases were signed with key 4EE17CD2: "OpenDNSSEC Distribution
Key 2014 <distribution-***@opendnssec.org>" but this one uses key 4FCB0B94
and I am not sure where to get it.

I've downloaded https://dist.opendnssec.org/source/softhsm-2.3.0.tar.gz and
https://dist.opendnssec.org/source/softhsm-2.3.0.tar.gz.sig and I'm facing
following problems trying to verify the signature:

d:\>gpg --verify softhsm-2.3.0.tar.gz.sig softhsm-2.3.0.tar.gz
gpg: Signature made 07/03/17 09:35:31 Central Europe Daylight Time using
RSA key ID 4FCB0B94
gpg: Can't check signature: No public key

d:\>gpg --keyserver pgp.mit.edu --recv-keys 4FCB0B94
gpg: requesting key 4FCB0B94 from hkp server pgp.mit.edu
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
gpg: keyserver communications error: Not found
gpg: keyserver communications error: Bad public key
gpg: keyserver receive failed: Bad public key

I'll grateful for any pointer or advice.

Kind Regards / S pozdravom

Jaroslav Imrich
http://www.jimrich.sk
***@gmail.com
Yuri Schaeffer
2017-07-04 20:28:48 UTC
Permalink
Hi Jaroslav,
Post by Jaroslav Imrich
RSA key ID 4FCB0B94
gpg: Can't check signature: No public key
Our public keys can be found here:
https://wiki.opendnssec.org/display/OpenDNSSEC/PGP

It seems this release was signed with our previous key (which expired
last February). I'll track down how that happened and make sure you'll
get a proper signature tomorrow.

//Yuri
Jaroslav Imrich
2017-07-04 20:52:42 UTC
Permalink
Thanks a lot! I was missing "Distribution Key 2017". Everything is OK now:

d:\>gpg --verify softhsm-2.3.0.tar.gz.sig softhsm-2.3.0.tar.gz
gpg: Signature made 07/03/17 09:35:31 Central Europe Daylight Time using
RSA key ID 4FCB0B94
gpg: Good signature from "OpenDNSSEC Distribution Key 2017 <
distribution-***@opendnssec.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 4D03 88CE 86BB 398B 387B 6630 41F6 23BE 4FCB 0B94

Regards, Jaroslav
Post by Yuri Schaeffer
Hi Jaroslav,
Post by Jaroslav Imrich
RSA key ID 4FCB0B94
gpg: Can't check signature: No public key
https://wiki.opendnssec.org/display/OpenDNSSEC/PGP
It seems this release was signed with our previous key (which expired
last February). I'll track down how that happened and make sure you'll
get a proper signature tomorrow.
//Yuri
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Yuri Schaeffer
2017-07-04 21:06:19 UTC
Permalink
Ah that's great. I was confused by your mail and thought we err'd. All
is good then. Cheers!

//Yuri
Wytze van der Raay
2017-07-05 09:38:51 UTC
Permalink
Post by Yuri Schaeffer
Ah that's great. I was confused by your mail and thought we err'd. All
is good then. Cheers!
It would be still better though if the distribution-***@opendnssec.org key
was signed by a few more people *and* uploaded to a public key server.

Regards,
Wytze van der Raay

Loading...