Dear John, upstream replied already:
> Hello 👋 The issue is not with the key but with the signature, which has Type: > Text while the signed data is binary. That in itself doesn't prevent the > signature from being verified but it does trigger newline normalization > (which over a binary file is not very sensible). The way GnuPG does newline > normalization might be slightly different, though OpenPGP.js rejects the > signature as well so I'm inclined to say our behavior is per spec. I would > recommend signing the file as binary to fix this issue. How did you create the signature? Maybe the tool can be taught to sign the upstream tarballs? Maybe it has a switch to properly sign binary data as binary? Best regards, Martin
signature.asc
Description: PGP signature
