On Tue, Oct 08, 2002 at 04:46:56PM -0700, Steve Thomas wrote: > Verify PGP signatures > > The Sendmail source distribution is cryptographically signed with the > following PGP key: > > pub 1024R/678C0A03 2001-12-18 Sendmail Signing Key/2002 > <[EMAIL PROTECTED]> > Key fingerprint = 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45 > > The Trojan horse copy did not include an updated PGP signature, so > attempts to verify its integrity would have failed. The sendmail.org > staff has verified that the Trojan horse copies did indeed fail PGP > signature checks. > > Verify MD5 checksums > > In the absence of PGP, you can use the following MD5 checksums to > verify the integrity of your Sendmail source code distribution: > Correct versions: > > 73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz > cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z > 8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig
Hmmm... I have the md5sums for the gz and the sig, but the signature doesn't match. <raising left eyebrow> $ md5sum sendmail.8.12.6* 73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz 8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig $ gpg --verify sendmail.8.12.6.tar.{sig,gz} gpg: Signature made Mon Aug 26 22:06:30 2002 EDT using RSA key ID 678C0A03 gpg: BAD signature from "Sendmail Signing Key/2002 <[EMAIL PROTECTED]>" $ gpg --fingerprint [EMAIL PROTECTED] pub 1024R/678C0A03 2001-12-18 Sendmail Signing Key/2002 <[EMAIL PROTECTED]> Key fingerprint = 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45 -- Randomly Generated Tagline: Oh my God, someone's trying to kill me! Oh wait, it's for Bart. -- Homer Simpson Cape Feare
msg08571/pgp00000.pgp
Description: PGP signature