Hi, On Thu, Apr 11, 2019 at 11:39:51AM +0200, Fabiano Fidêncio wrote: > Guido, > > On Thu, Apr 11, 2019 at 11:10 AM Guido Günther <agx@xxxxxxxxxxx> wrote: > > > > Hi, > > Older libosinfo releases were signed with Daniel's key: > > > > $ gpg --verify libosinfo_1.2.0.orig.tar.gz.asc > > gpg: assuming signed data in 'libosinfo_1.2.0.orig.tar.gz' > > gpg: Signature made Mi 20 Jun 2018 11:46:42 CEST > > gpg: using RSA key 0xBE86EBB415104FDF > > gpg: Good signature from "Daniel P. Berrange <dan@xxxxxxxxxxxx>" [unknown] > > gpg: aka "Daniel P. Berrange <berrange@xxxxxxxxxx>" [unknown] > > gpg: WARNING: This key is not certified with a trusted signature! > > gpg: There is no indication that the signature belongs to the owner. > > Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF > > > > And this key can be found on keyservers > > > > https://pgp.surfnet.nl/pks/lookup?search=0xBE86EBB415104FDF&fingerprint=on&op=index > > > > 1.4.0 seems to use a different key > > > > $ gpg --verify libosinfo-1.4.0.tar.gz.asc > > gpg: assuming signed data in 'libosinfo-1.4.0.tar.gz' > > gpg: Signature made Fr 01 Mär 2019 17:01:14 CET > > gpg: using RSA key 09B9C8FF223EF113AFA06A39EE926C2BDACC177B > > gpg: Can't check signature: No public key > > > > However i can't find that key on keyservers nor mentioned on > > https://libosinfo.org/ nor at https://releases.pagure.org/libosinfo/. > > > > Can you point me to the signing key? > > Hmm. That's my fault. > I've added the whole fingerprint, while I should have just added 0xDACC177B > Note taken for the next release. > > Here's the link for the key: > http://hkps.pool.sks-keyservers.net/pks/lookup?search=0xDACC177B&fingerprint=on&op=index Thanks! It'd be nice to have the signing keys in upstreams upstream git or somewhere prominent so one does not need to go hunting for it. Cheers, -- Guido _______________________________________________ Libosinfo mailing list Libosinfo@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libosinfo
