https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #89 from Simone Caronni <negativo17@xxxxxxxxx> --- So here's the issue with the signature. 1- The tarball contains a file with all the PGP keys used to sign SHA256SUM (contrib/builder-keys/keys.txt). 2- The signatures are all in SHA256SUM.asc. 3- The keys can be on keyserver.ubuntu.com, keys.openpgp.org or both. 4- All keys need to be downloaded and put into the public keyring, or the signature verification fails (return code 2 instead of 0). 5- Some keys MIGHT be revoked when downloading them for the first time (which is the case now). So verifying signatures always fails with the bundled key file, to make it right someone needs to clean the SHA256SUM.asc files of all the signatures made with revoked files, which in the end does not match with what is downloaded. Steps to reproduce: tar -xzf bitcoin-22.0.tar.gz --strip-components=3 bitcoin-22.0/contrib/builder-keys/keys.txt rm -f bitcoin-22.0.gpg while read fingerprint keyholder_name; do gpg2 -q --no-default-keyring --keyring ./bitcoin-22.0.gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys ${fingerprint} gpg2 -q --no-default-keyring --keyring ./bitcoin-22.0.gpg --keyserver hkps://keys.openpgp.org --recv-keys ${fingerprint} gpg2 --no-default-keyring --keyring ./bitcoin-22.0.gpg --export --export-options export-minimal ${fingerprint} >> bitcoin-22.0-pubring.gpg done < keys.txt rm -fr keys.txt gpgv2 -q --keyring=`pwd`/bitcoin-22.0-pubring.gpg SHA256SUMS.asc SHA256SUMS -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=1834731 _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
