[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor Distros Repository Problems (serious!)

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Tor Distros Repository Problems (serious!)
From: Erinn Clark <erinn@xxxxxxxxxxxxxx>
Date: Tue, 18 Jan 2011 06:32:15 +0100
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Tue, 18 Jan 2011 00:40:03 -0500
In-reply-to: <N1-PvXzd_4VT-@xxxxxxxxxxxxx>
References: <N1-PvXzd_4VT-@xxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.4.2.3i

* wirelesssnowman@xxxxxxxxxxxxx <wirelesssnowman@xxxxxxxxxxxxx> [2011:01:17 22:46 -0500]: 
> *BOTH* files are *EXACTLY* the *SAME*! They are the public key from
> the would be signer, but the .asc files are NOT the correctly signed
> files from the signer's public key. The .asc files are WORTHLESS and
> gpg issues an error if you try and verify the .asc files:
> 
> #gpg: verify signatures failed: Unexpected error
> 
> Why? Because it's not a valid signature at all, it's a duplicate copy of the public key which is also found in RPM-GPG-KEY-torproject.org !

What happens when you verify it with 'rpm -K file.rpm'? The signatures made for
the rpms are made with rpm, not gpg, though it is a gpg key in the backend.

Please read this page to understand how rpms are signed:
http://www.vitki.net/ru/book/page/how-create-yum-repository

And see the commands listed here in the rpm {--addsign} part:
http://www.tin.org/bin/man.cgi?section=8&topic=rpmsign

Attachment: pgphXedBPBKoG.pgp
Description: PGP signature

References:
- Tor Distros Repository Problems (serious!)
  - From: wirelesssnowman

Prev by Author: Using Mixminion trough the Tor network
Next by Author: Re: Polipo bug Re: Tor 0.2.2.21-alpha is out (security patches)
Previous by thread: Tor Distros Repository Problems (serious!)
Next by thread: Why my aptitude changes my tor package?
Index(es):
- Author
- Thread