On 9 Apr 2014, at 4:12 PM, Jakob Bohm wrote: > Attention: The .asc file I downloaded directly from openssl.org for the > 1.0.1g tarball was signed with a key NOT authorized by the fingerprints.txt > file distributed in previous tarballs, nor by the (unverifiable) > fingerprints.txt available from > > http://www.openssl.org/docs/misc/ > > Specifically, it was signed by a PGP key purporting to belong to Dr. Henson, > but with a different identifier and a different e-mail address > than the authorized key listed for him in fingerprints.txt. > > I suspect this is just a mixup at your end, but one cannot feel too > sure without a valid file signature consistent with the securely distributed > signature list.
I also noticed this--- previous tarballs were all signed by the F295C759 key (fingerprint ending in D57EE597), but this announcement and the 1.0.1g tarball were both signed by the FA40E9E2 key. However, the new key (all three of its userids) *is* signed by the old key, so there is I think some assurance that the new key also belongs to Dr Stephen Henson and that the release is legitimate. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
