Björn Persson wrote: >Baxi wrote: >> Hi. I am trying to package a program. The upstream provided sha256sum.asc file. Verifying tarball with that signature says, Can't check signature: No public key. I found his public key in key directory by searching his email and added that key. Now gpg says Bad signature from that person. Also upstream didn't provide gpg keyring in his project. What should I do? > >Please post URLs to the files so I can see what kind of signatures or >checksums they actually contain. As I still haven't seen the files I'm going to post some advice based on what I read in the guts of this freshly caught bleak. First you should ask the upstream developer to publish his public key on his website, and make sure to use HTTPS when you download it. Anyone can make a key with someone else's email address on it and upload it to a key server, so you don't know whether the key you found is the right one. Once you know that you have the right key, the fish entrails tell me that you should use sha256sum.asc to verify the file named sha256sum like this: %{gpgverify} --keyring=... --signature=sha256sum.asc --data=sha256sum Then you should use the program sha256sum to verify the tarball against the checksum in the file sha256sum: sha256sum --check sha256sum That should print the filename of the tarball followed by "OK". Or, when you contact the developer to ask him to publish the key, you could also ask him to sign the tarball directly instead of going the detour through sha256sum. If the bleak is off the mark, then I'm still willing to look at the actual files instead. Björn Persson
Attachment:
pgp5zbuDfQH4j.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx