On Tue, Oct 08, 2002 at 04:46:56PM -0700, Steve Thomas wrote:
> Verify PGP signatures
> 
>    The  Sendmail source distribution is cryptographically signed with the
>    following PGP key:
> 
>      pub    1024R/678C0A03    2001-12-18   Sendmail   Signing   Key/2002
>      <[EMAIL PROTECTED]>
>      Key fingerprint = 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45
> 
>    The  Trojan  horse  copy  did not include an updated PGP signature, so
>    attempts  to  verify its integrity would have failed. The sendmail.org
>    staff  has  verified  that the Trojan horse copies did indeed fail PGP
>    signature checks.
> 
> Verify MD5 checksums
> 
>    In  the  absence  of  PGP,  you can use the following MD5 checksums to
>    verify the integrity of your Sendmail source code distribution:
>    Correct versions:
> 
>      73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz
>      cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z
>      8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig

Hmmm...  I have the md5sums for the gz and the sig, but the signature
doesn't match.  <raising left eyebrow>

$ md5sum sendmail.8.12.6*
73e18ea78b2386b774963c8472cbd309  sendmail.8.12.6.tar.gz
8b9c78122044f4e4744fc447eeafef34  sendmail.8.12.6.tar.sig
$ gpg --verify sendmail.8.12.6.tar.{sig,gz}
gpg: Signature made Mon Aug 26 22:06:30 2002 EDT using RSA key ID 678C0A03
gpg: BAD signature from "Sendmail Signing Key/2002 <[EMAIL PROTECTED]>"
$ gpg --fingerprint [EMAIL PROTECTED]
pub  1024R/678C0A03 2001-12-18 Sendmail Signing Key/2002 <[EMAIL PROTECTED]>
     Key fingerprint = 7B 02 F4 AA FC C0 22 DA  47 3E 2A 9A 9B 35 22 45

-- 
Randomly Generated Tagline:
Oh my God, someone's trying to kill me!  Oh wait, it's for Bart.
 
                -- Homer Simpson
                   Cape Feare

Attachment: msg08571/pgp00000.pgp
Description: PGP signature

Reply via email to