Hi Ralf, On Fri, Mar 18, 2022 at 06:42:49PM +0100, Ralf Mardorf wrote: > >[rocketmouse@archlinux linux-rt]$ gzip -cd > >patch-4.19.233-rt105.patch.gz | gpg2 --verify > >patch-4.19.233-rt105.patch.sign - gpg: Signature made Fri 11 Mar 2022 > >09:10:11 CET gpg: using EDDSA key > >1B45744BE36280CA7D6BD460E072D068B1F5703E > > ^^^^^^^^^^^^^^^^ > > 587C5ECA5D0A306C.asc It's a subkey hence the file name wont match. The file name is the finger print and not the subkey. > >Importing your key from a keyserver (e.g. from > >hkp://keyserver.ubuntu.com) isn't an issue at all. > > > >The rt-patch was either signed with another key (E072D068B1F5703E > >instead of 587C5ECA5D0A306C) or the uploaded patch is malicious. Did you import 587C5ECA5D0A306C.asc from korg? It should contain all my public keys (incl. the subkeys). At least this is what I think I did when trying to follow (outdated, very outdated, complete useless or wrong) documentation. Hope this helps, Daniel ps: I have very strong feelings when it comes to gpg and no they are not the good ones.
