* wirelesssnowman@xxxxxxxxxxxxx <wirelesssnowman@xxxxxxxxxxxxx> [2011:01:17 22:46 -0500]: > *BOTH* files are *EXACTLY* the *SAME*! They are the public key from > the would be signer, but the .asc files are NOT the correctly signed > files from the signer's public key. The .asc files are WORTHLESS and > gpg issues an error if you try and verify the .asc files: > > #gpg: verify signatures failed: Unexpected error > > Why? Because it's not a valid signature at all, it's a duplicate copy of the public key which is also found in RPM-GPG-KEY-torproject.org ! What happens when you verify it with 'rpm -K file.rpm'? The signatures made for the rpms are made with rpm, not gpg, though it is a gpg key in the backend. Please read this page to understand how rpms are signed: http://www.vitki.net/ru/book/page/how-create-yum-repository And see the commands listed here in the rpm {--addsign} part: http://www.tin.org/bin/man.cgi?section=8&topic=rpmsign
Attachment:
pgphXedBPBKoG.pgp
Description: PGP signature