Hi, I'm trying to verify the integrity of a CMake release using GPG. I'm getting the error, that there's a BAD signature from "Brad King". Now I wonder what could be the reason for this issue.
To make it easily reproducible, here's my Dockerfile, describing the process for you to test it yourself. If you don't know docker, just run the commands after "RUN" on a centos/RHEL machine. FROM centos:7 RUN yum install -y gpg # Get CMake from official website ADD https://cmake.org/files/v3.5/cmake-3.5.2-Linux-x86_64.tar.gz /tmp ADD https://cmake.org/files/v3.5/cmake-3.5.2-SHA-256.txt /tmp ADD https://cmake.org/files/v3.5/cmake-3.5.2-SHA-256.txt.asc /tmp # Install CMake to /opt/cmake* RUN tar xzf /tmp/cmake-*.tar.gz -C /opt RUN echo "alias cmake=/opt/cmake*/bin/cmake" > ~/.bashrc # Import Brad King's key from public PGP/GPG server RUN gpg --keyserver pgp.mit.edu --recv 7BFB4EDA # Ultimately trust Brad's key (non-interactively) # (see http://blog.tersmitten.nl/how-to-ultimately-trust-a-public-key-non-interactively.html ) RUN echo "$( \ gpg --list-keys --fingerprint \ | grep 7BFB4EDA -A 1 \ | tail -1 \ | tr -d '[:space:]' \ | awk 'BEGIN { FS = "=" } ; { print $2 }' \ ):6:" \ | gpg --import-ownertrust; # Verify the integrity of the downloaded cmake tarball against Brad King's key RUN gpg --verbose --verify /tmp/cmake*.asc /tmp/cmake*.tar.gz Here's the output which indicates that something is wrong with the signature: docker build -t docker_image_centos . Sending build context to Docker daemon 19.46 kB Step 1 : FROM centos:7 ---> 28e524afdd05 Step 2 : RUN yum install -y rpm-build gcc-c++ make doxygen gpg git rpmlint ---> Using cache ---> 14ac7b398da3 Step 3 : ADD https://cmake.org/files/v3.5/cmake-3.5.2-Linux-x86_64.tar.gz /tmp Downloading [==================================================>] 28.43 MB/28.43 MB ---> Using cache ---> 7580075ff224 Step 4 : ADD https://cmake.org/files/v3.5/cmake-3.5.2-SHA-256.txt /tmp Downloading 1.3 kB ---> Using cache ---> 2baf274427a5 Step 5 : ADD https://cmake.org/files/v3.5/cmake-3.5.2-SHA-256.txt.asc /tmp Downloading 819 B ---> Using cache ---> 3fe12e2bb3c9 Step 6 : RUN tar xzf /tmp/cmake-*.tar.gz -C /opt ---> Using cache ---> a045dc6c3c14 Step 7 : RUN echo "alias cmake=/opt/cmake*/bin/cmake" > ~/.bashrc ---> Using cache ---> 86072dec6ba5 Step 8 : RUN gpg --keyserver pgp.mit.edu --recv 7BFB4EDA ---> Running in 7becb0710a74 gpg: directory `/root/.gnupg' created gpg: new configuration file `/root/.gnupg/gpg.conf' created gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/root/.gnupg/secring.gpg' created gpg: keyring `/root/.gnupg/pubring.gpg' created gpg: requesting key 7BFB4EDA from hkp server pgp.mit.edu gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 7BFB4EDA: public key "Brad King" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) ---> 0f01ef261745 Removing intermediate container 7becb0710a74 Step 9 : RUN echo "$( gpg --list-keys --fingerprint | grep 7BFB4EDA -A 1 | tail -1 | tr -d '[:space:]' | awk 'BEGIN { FS = "=" } ; { print $2 }' ):6:" | gpg --import-ownertrust; ---> Running in 74316f6291cb gpg: inserting ownertrust of 6 ---> b94c3ff29994 Removing intermediate container 74316f6291cb Step 10 : RUN gpg --verbose --verify /tmp/cmake*.asc /tmp/cmake*.tar.gz ---> Running in 31e58a9e6637 Version: GnuPG v2 gpg: armor header: gpg: Signature made Fri Apr 15 15:41:34 2016 UTC using RSA key ID 34921684 gpg: using subkey 34921684 instead of primary key 7BFB4EDA gpg: using PGP trust model gpg: checking the trustdb gpg: 1 keys cached (24 signatures) gpg: 1 keys processed (0 validity counts cleared) gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: BAD signature from "Brad King" gpg: binary signature, digest algorithm SHA256 The command '/bin/sh -c gpg --verbose --verify /tmp/cmake*.asc /tmp/cmake*.tar.gz' returned a non-zero code: 1 Am I doing something wrong? How is a release supposed to be verified using GPG? Thank you in advance! Konrad
-- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: http://public.kitware.com/mailman/listinfo/cmake
