On 2016-05-09 17:11+0200 Konrad Kleine wrote:
Hi,
I'm trying to verify the integrity of a CMake release using GPG. I'm
getting the error, that there's a BAD signature from "Brad King". Now I
wonder what could be the reason for this issue.
[...]
# Verify the integrity of the downloaded cmake tarball against Brad King's
key
RUN gpg --verbose --verify /tmp/cmake*.asc /tmp/cmake*.tar.gz
I am virtually positive the above command is the source of the issue
because gpg cannot be used to verify a raw tarball (i.e, the above
/tmp/cmake*.tar.gz file).
Instead, gpg should be used to verify the
cmake-3.5.2-SHA-256.txt file as follows:
gpg --verify cmake-3.5.2-SHA-256.txt.asc
When I do that here (with everything downloaded from the official CMake site)
I get the following results:
gpg: assuming signed data in cmake-3.5.2-SHA-256.txt'
gpg: Signature made Fri 15 Apr 2016 08:41:34 AM PDT using RSA key ID
34921684
gpg: Good signature from "Brad King"
gpg: aka "Brad King <brad.k...@kitware.com>"
gpg: aka "[jpeg image of size 4005]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: CBA2 3971 357C 2E65 90D9 EFD3 EC8F EF3A 7BFB 4EDA
Subkey fingerprint: C6C2 6532 4BBE BDC3 50B5 13D0 2D2C EF10 3492 1684
Then once cmake-3.5.2-SHA-256.txt has been verified this way with a
good signature then I run
grep cmake-3.5.2.tar.gz cmake-3.5.2-SHA-256.txt |sha256sum --check
with the result
cmake-3.5.2.tar.gz: OK
which verifies the raw tarball is consistent with the digitally signed
and verified sum file.
Alan
__________________________
Alan W. Irwin
Astronomical research affiliation with Department of Physics and Astronomy,
University of Victoria (astrowww.phys.uvic.ca).
Programming affiliations with the FreeEOS equation-of-state
implementation for stellar interiors (freeeos.sf.net); the Time
Ephemerides project (timeephem.sf.net); PLplot scientific plotting
software package (plplot.sf.net); the libLASi project
(unifont.org/lasi); the Loads of Linux Links project (loll.sf.net);
and the Linux Brochure Project (lbproject.sf.net).
__________________________
Linux-powered Science
__________________________
--
Powered by www.kitware.com
Please keep messages on-topic and check the CMake FAQ at:
http://www.cmake.org/Wiki/CMake_FAQ
Kitware offers various services to support the CMake community. For more
information on each offering, please visit:
CMake Support: http://cmake.org/cmake/help/support.html
CMake Consulting: http://cmake.org/cmake/help/consulting.html
CMake Training Courses: http://cmake.org/cmake/help/training.html
Visit other Kitware open-source projects at
http://www.kitware.com/opensource/opensource.html
Follow this link to subscribe/unsubscribe:
http://public.kitware.com/mailman/listinfo/cmake
