On 02/22/2018 11:13 PM, Kristian Fiskerstrand wrote:
> On 02/22/2018 11:03 PM, Henry wrote:
>> 2018-02-21 20:56 GMT+09:00 Kristian Fiskerstrand
>> :
>>> On 02/21/2018 11:53 AM, Peter Lebbing wrote:
>>> Touché :) Indeed, didn't notice it was an old file/signature , then
>>> gnupg 1.4 is the recommen
On 02/22/2018 11:03 PM, Henry wrote:
> 2018-02-21 20:56 GMT+09:00 Kristian Fiskerstrand
> :
>> On 02/21/2018 11:53 AM, Peter Lebbing wrote:
>> Touché :) Indeed, didn't notice it was an old file/signature , then
>> gnupg 1.4 is the recommended official suggestion presuming established
>> validity of
2018-02-21 20:56 GMT+09:00 Kristian Fiskerstrand
:
> On 02/21/2018 11:53 AM, Peter Lebbing wrote:
> Touché :) Indeed, didn't notice it was an old file/signature , then
> gnupg 1.4 is the recommended official suggestion presuming established
> validity of key material etc etc.
gpg (GnuPG) 1.4.22 do
On 02/21/2018 11:53 AM, Peter Lebbing wrote:
> On 21/02/18 10:48, Kristian Fiskerstrand wrote:
>>>gpg: Signature made Tue May 4 23:03:11 2004 JST
>> [...]
>>
>> The author should sign the package using a more modern and secure keyblock.
> Note that not the key, but the /signature/ is made 14 y
On 21/02/18 11:53, Peter Lebbing wrote:
> The
> author might not be available anymore or willing to expend any effort.
(Or the author might not have a more authentic copy of the file anymore
either. This is not the reason I'm self-replying though).
> This all comes with a major caveat.
Make that
On 21/02/18 10:48, Kristian Fiskerstrand wrote:
>>gpg: Signature made Tue May 4 23:03:11 2004 JST
> [...]
>
> The author should sign the package using a more modern and secure keyblock.
Note that not the key, but the /signature/ is made 14 years ago. So
we're talking about verifying the inte
On 02/21/2018 10:37 AM, Henry wrote:
> I downloaded a tarball ***6.4.tar.gz, it's signature file
> ***6.4.tar.gz.sig, and the author's public key **.pgp from a
> well-known site.
>
> I imported the public key: `gpg --import **.pgp`.
> For some reason, two keys were "skipped":
>gpg: key
I downloaded a tarball ***6.4.tar.gz, it's signature file
***6.4.tar.gz.sig, and the author's public key **.pgp from a
well-known site.
I imported the public key: `gpg --import **.pgp`.
For some reason, two keys were "skipped":
gpg: key 0C0B590E80CA15A7: 2 signatures not checked due to
