Hi, I believe there's something wrong with the signature of the latest release.
## Werner Koch (w...@gnupg.org): > * If you already have a version of GnuPG installed, you can simply > verify the supplied signature. For example to verify the signature > of the file gnupg-2.1.17.tar.bz2 you would use this command: > > gpg --verify gnupg-2.1.17.tar.bz2.sig gnupg-2.1.17.tar.bz2 This fails: gpg: Signature made Tue Dec 20 11:33:11 2016 CET gpg: using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: BAD signature from "Werner Koch (dist sig)" [unknown] But the SHA1 hash of the release tarball matches the one in the release announcement. I downloaded directly from gnupg.org. For reference, the hashes of the release file and the signature (as downloaded here) are: SHA1 (gnupg-2.1.17.tar.bz2) = d83ab893faab35f37ace772ca29b939e6a5aa6a7 SHA1 (gnupg-2.1.17.tar.bz2.sig) = 34cea3e6d139cb340bf14f04ff217cb6960cf36d Or is that just me and a local issue? Regards, Christoph -- Spare Space _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
