[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNU autoconf-2.66 released [stable]

From: Olly Betts
Subject: Re: GNU autoconf-2.66 released [stable]
Date: Mon, 5 Jul 2010 06:19:12 +0000 (UTC)
User-agent: slrn/pre1.0.0-11 (Linux)

On 2010-07-02, Eric Blake <address@hidden> wrote:
> [*] You can use either of the above signature files to verify that
> the corresponding file (without the .sig suffix) is intact.  First,
> be sure to download both the .sig file and the corresponding tarball.
> Then, run a command like this:
>   gpg --verify autoconf-2.66.tar.gz.sig
> If that command fails because you don't have the required public key,
> then run this command to import it:
>   gpg --keyserver --recv-keys 2527436A

Hi Eric,

While your announcement was signed with a key with that fingerprint, the
tarball I downloaded was signed with a key with fingerprint F4850180:

2527436A and F4850180 seem to be cross-signed, which makes foul play an
unlikely explanation (it looks like F4850180 is an old SHA1 key you are
in the process of replacing), but it would be more reassuring to use the
same key for both signatures, or at least give the correct fingerprint
for verifying the tarball signatures in the signed announcement email.

(Or was this a test to see if anyone actually bothers to verify the


reply via email to

[Prev in Thread] Current Thread [Next in Thread]