[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor Distros Repository Problems (serious!)



* wirelesssnowman@xxxxxxxxxxxxx <wirelesssnowman@xxxxxxxxxxxxx> [2011:01:17 22:46 -0500]: 
> *BOTH* files are *EXACTLY* the *SAME*! They are the public key from
> the would be signer, but the .asc files are NOT the correctly signed
> files from the signer's public key. The .asc files are WORTHLESS and
> gpg issues an error if you try and verify the .asc files:
> 
> #gpg: verify signatures failed: Unexpected error
> 
> Why? Because it's not a valid signature at all, it's a duplicate copy of the public key which is also found in RPM-GPG-KEY-torproject.org !

What happens when you verify it with 'rpm -K file.rpm'? The signatures made for
the rpms are made with rpm, not gpg, though it is a gpg key in the backend.

Please read this page to understand how rpms are signed:
http://www.vitki.net/ru/book/page/how-create-yum-repository

And see the commands listed here in the rpm {--addsign} part:
http://www.tin.org/bin/man.cgi?section=8&topic=rpmsign

Attachment: pgphXedBPBKoG.pgp
Description: PGP signature