Re: rpmbuild signature check failure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Björn Persson wrote:
>Baxi wrote:
>> Hi. I am trying to package a program. The upstream provided sha256sum.asc file. Verifying tarball with that signature says, Can't check signature: No public key. I found his public key in key directory by searching his email and added that key. Now gpg says Bad signature from that person. Also upstream didn't provide gpg keyring in his project. What should I do?   
>
>Please post URLs to the files so I can see what kind of signatures or
>checksums they actually contain.

As I still haven't seen the files I'm going to post some advice based
on what I read in the guts of this freshly caught bleak.

First you should ask the upstream developer to publish his public key on
his website, and make sure to use HTTPS when you download it. Anyone
can make a key with someone else's email address on it and upload it to
a key server, so you don't know whether the key you found is the right
one.

Once you know that you have the right key, the fish entrails tell me
that you should use sha256sum.asc to verify the file named sha256sum
like this:

%{gpgverify} --keyring=... --signature=sha256sum.asc --data=sha256sum

Then you should use the program sha256sum to verify the tarball against
the checksum in the file sha256sum:

sha256sum --check sha256sum

That should print the filename of the tarball followed by "OK".

Or, when you contact the developer to ask him to publish the key, you
could also ask him to sign the tarball directly instead of going the
detour through sha256sum.

If the bleak is off the mark, then I'm still willing to look at the
actual files instead.

Björn Persson

Attachment: pgp5zbuDfQH4j.pgp
Description: OpenPGP digital signatur

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux