[tor-bugs] #13357 [Tor Browser]: GPG signature is broken for GCC 4.8.3
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Oct 7 18:29:31 UTC 2014
#13357: GPG signature is broken for GCC 4.8.3
-------------------------+--------------------------
Reporter: kpdyer | Owner: tbb-team
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Keywords: | Actual Points:
Parent ID: | Points:
-------------------------+--------------------------
GCC 4.8.3 is signed by RSA key ID FC26A641.
{{{
$ gpg --verify gcc-4.8.3.tar.bz2.sig
gpg: Signature made Thu May 22 04:09:35 2014 PDT using RSA key ID FC26A641
gpg: Good signature from "Richard Guenther <rguenth at tat.physik.uni-
tuebingen.de>"
gpg: aka "Richard Guenther (GCC) <rguenth at gcc.gnu.org>"
...
}}}
This key is not included in our GCC keyring:
{{{
$ gpg gitian/gpg/GCC.gpg
pub 1024D/C3C45C06 2004-04-21 Jakub Jelinek <jakub at redhat.com>
sub 2048g/241CF083 2004-04-21 [expires: 2020-09-10]
$
}}}
So, when I build the tor-browser-bundle, I get:
{{{
...
2014-10-07 10:26:55 (14.4 MB/s) - `gcc-4.8.3.tar.bz2.sig' saved [280/280]
GCC: GPG signature is broken for
https://ftp.gnu.org/gnu/gcc/gcc-4.8.3/gcc-4.8.3.tar.bz2
}}}
Actually, there are six keys that can sign the GCC releases:
https://gcc.gnu.org/mirrors.html
So, we probably want to update {{{gitian/gpg/GCC.gpg}}} to include all six
keys.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13357>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list