On 2017-10-03 at 14:50 -0600, Damien Miller wrote: > Please note that the SHA256 signatures are base64 encoded and not > hexadecimal (which is the default for most checksum tools). The PGP > key used to sign the releases is available as RELEASE_KEY.asc from > the mirror sites. Of the two up-to-date mirrors with 7.6 I can find: rsync://openbsd.cs.toronto.edu/openbsd/OpenSSH/portable/ https://fastly.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/ neither has a "RELEASE_KEY.asc" file. There's: DJM-GPG-KEY.asc For the Fastly case, I've confirmed that this is not a stale cached index issue and that putting in RELEASE_KEY.asc as a filename yields a 404. The file "DJM-GPG-KEY.asc" contains the PGP key 0xCE8ECB0386FF9C48 which was revoked in 2013. The signature I do see on the release was made with PGP key 0xD3E5F56B6D920D30, which was created the same day. I have a trust-path to the key 0xD3E5F56B6D920D30 so I'm good, but something seems to have gone askew here. -Phil _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev