On 2010-07-02, Eric Blake <eblake@xxxxxxxxxx> wrote: > [*] You can use either of the above signature files to verify that > the corresponding file (without the .sig suffix) is intact. First, > be sure to download both the .sig file and the corresponding tarball. > Then, run a command like this: > > gpg --verify autoconf-2.66.tar.gz.sig > > If that command fails because you don't have the required public key, > then run this command to import it: > > gpg --keyserver keys.gnupg.net --recv-keys 2527436A Hi Eric, While your announcement was signed with a key with that fingerprint, the tarball I downloaded was signed with a key with fingerprint F4850180: http://ftpmirror.gnu.org/autoconf/autoconf-2.66.tar.bz2 2527436A and F4850180 seem to be cross-signed, which makes foul play an unlikely explanation (it looks like F4850180 is an old SHA1 key you are in the process of replacing), but it would be more reassuring to use the same key for both signatures, or at least give the correct fingerprint for verifying the tarball signatures in the signed announcement email. (Or was this a test to see if anyone actually bothers to verify the signatures?) Cheers, Olly _______________________________________________ Autoconf mailing list Autoconf@xxxxxxx http://lists.gnu.org/mailman/listinfo/autoconf
