On Fri, 18 Mar 2022 10:45:35 +0100, Daniel Wagner wrote:
>$ gpg pgpkeys/keys/587C5ECA5D0A306C.asc
Hi,
that's the wrong key:
[rocketmouse@archlinux linux-rt]$ gzip -cd patch-4.19.233-rt105.patch.gz | gpg2 --verify patch-4.19.233-rt105.patch.sign -
gpg: Signature made Fri 11 Mar 2022 09:10:11 CET
gpg: using EDDSA key 1B45744BE36280CA7D6BD460E072D068B1F5703E
^^^^^^^^^^^^^^^^
587C5ECA5D0A306C.asc
Importing your key from a keyserver (e.g. from
hkp://keyserver.ubuntu.com) isn't an issue at all.
The rt-patch was either signed with another key (E072D068B1F5703E
instead of 587C5ECA5D0A306C) or the uploaded patch is malicious.
The patch was downloaded from
https://www.kernel.org/pub/linux/kernel/projects/rt/ :
[rocketmouse@archlinux ~]$ head -24 /usr/src/linux-rt-rm/PKGBUILD
[snip]
_pkgver=4.19.233
_rtpatchver=105
pkgver="${_pkgver}_rt${_rtpatchver}"
[snip]
source=(
"https://www.kernel.org/pub/linux/kernel/v${_pkgver%%.*}.x/linux-${_pkgver}.tar.gz";
"https://www.kernel.org/pub/linux/kernel/v${_pkgver%%.*}.x/linux-${_pkgver}.tar.sign";
"https://www.kernel.org/pub/linux/kernel/projects/rt/${_pkgver%.*}/older/patch-${_pkgver}-rt${_rtpatchver}.patch.gz";
"https://www.kernel.org/pub/linux/kernel/projects/rt/${_pkgver%.*}/older/patch-${_pkgver}-rt${_rtpatchver}.patch.sign";
Regards,
Ralf
