Hi Collin, Hi Karl Thank you very much for your answers. It was mainly to be sure. To package the automake we need to provide a keyring file to our build service, and I miss to fetch the newest automake keyring where your key, Karl, has been added. Therefore only your public gpg key, independently, worked.
But then, as you described Colin, the GPG keyring from Savannah works well. I will update the automake keyring file in our packaging (at openSUSE). Thank you again and wish you all the best, Valentin Lefebvre Linux Distribution Engineer - packager Member of System Boot and Init team SUSE Software Solutions Germany GmbH 56100 Lorient, France On Thu, Jun 5, 2025 at 12:13 AM Collin Funk <collin.fu...@gmail.com> wrote: > Karl Berry <k...@freefriends.org> writes: > > > I signed it. I'm one of the listed admins of the automake group on > > savannah (https://savannah.gnu.org/projects/automake/), so I don't know > > what you mean by "from the automake group". Jim is still the official > > automake maintainer, but my key was added as an allowed uploader since > > (unfortunately) he doesn't have much time for automake any more. > > gpg --verify automake-1.18.tar.xz.sig works for me. > > Using the GPG keyring from Savannah [1]: > > $ gpg --import automake-keyring.gpg > gpg: key 7FD9FCCB000BEEEE: 434 signatures not checked due to missing > keys > gpg: key 7FD9FCCB000BEEEE: public key "Jim Meyering <j...@meyering.net>" > imported > gpg: key 9DEB46C0D679F6CF: 2 signatures not checked due to missing keys > gpg: key 9DEB46C0D679F6CF: public key "Karl Berry < > k...@freefriends.org>" imported > gpg: Note: third-party key signatures using the SHA1 algorithm are > rejected > gpg: (use option "--allow-weak-key-signatures" to override) > gpg: key 0716748A30D155AD: 1 bad signature > gpg: key 0716748A30D155AD: public key "Karl Berry < > k...@freefriends.org>" imported > gpg: Total number processed: 3 > gpg: imported: 3 > gpg: no ultimately trusted keys found > $ gpg --verify automake-1.18.tar.xz.sig > gpg: assuming signed data in 'automake-1.18.tar.xz' > gpg: Signature made Tue May 27 13:47:11 2025 PDT > gpg: using RSA key > 17D3311B14BC0F248267BF020716748A30D155AD > gpg: Good signature from "Karl Berry <k...@freefriends.org>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 17D3 311B 14BC 0F24 8267 BF02 0716 748A 30D1 > 55AD > > Seems fine to me as well. > > [1] https://savannah.gnu.org/project/release-gpgkeys.php?group=automake >
