On Tue, 20 Dec 2016 13:46, c...@burggraben.net said: > I believe there's something wrong with the signature of the latest > release.
Sorry, my fault. To create the signature I use
gpg -sbvu SIGNINGKEY gnupg-2.1.17.tar.bz2
Today I forgot the -b and thus a non-detached signature was created
(suffix .gpg). After realizing that I fixed that but probably I did
gpg -sbvu SIGNINGKEY gnupg-2.1.17.tar.bz2.gpg
which is obviously wrong. Then I copied gnupg-2.1.17.tar.bz2{,.sig} to
the final locations. The end result is that the detached signature was
over a binary signed tarball and not over the plain tarball. I can't
prove that anymore because I deleted the .gpg files before I noticed
that the signature were wrong.
Before you ask: Yes, I should add a make target for signing. Actually I
did this for the Windows installer's yesterday.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
pgpoSaGpiid56.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
