GPG problem with Tor RPM

Roger Dingledine arma at mit.edu
Mon Mar 21 21:04:13 UTC 2005


On Mon, Mar 21, 2005 at 03:02:01PM +0000, Chris wrote:
> I couldn't verify the RPMs using GPG:
> 
>   rpm -K tor-0.0.9.5-tor.0.fc1.i386.rpm
>   tor-0.0.9.5-tor.0.fc1.i386.rpm: sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#28988bf5) 
[snip
> I do have the gpg key installed -- I did this:
[snip]
>   rpm --import tor.asc
[snip]
>   warning: tor-0.0.9.5-tor.0.fc1.src.rpm: V3 DSA signature: NOKEY, key ID 28988bf5

My first guess is that you're failing to import my key into your rpm db.
Have you gotten this working with other programs, and other keys? Some
versions of rpm are rumored to have bugs where rpm --import silently
fails.

I just repeated these steps on my FC1 machine, and it claims to be
missing the key too. So it's not that it's getting a *bad* signature,
it just fails to learn about the key.

rpm -K works fine for me on my RC73 machine (where rpm actually uses gpg).

In any case, I double-checked and the rpms available from tor.eff.org
are still in fact the ones that I uploaded, so I think all is well on
that front.

This is why I've been pushing Jeff Moe (cc'ed) to handle our RPM
distribution. I'm just winging it, and tend to put actual Tor development
higher priority. :)

>   cd `rpm --eval '%{_sourcedir}'`
> 
>   wget http://tor.eff.org/dist/tor-0.0.9.5.tar.gz.asc
> 
>   gpg --verify tor-0.0.9.5.tar.gz.asc 
>   gpg: Signature made Wed 23 Feb 2005 06:33:29 GMT using DSA key ID 28988BF5
>   gpg: BAD signature from "Roger Dingledine <arma at mit.edu>"

Right, this is because our "make dist-rpm" builds its own tarball and
then makes an rpm out of it. So it won't use the same tarball as is
uploaded to the site. If anybody wants to submit a patch to make it use
the official tarball, that would be great.

> However I then got the tgz from the site, checked the sig
> OK and built my own RPM using that and it was OK.

Great.

--Roger



More information about the tor-dev mailing list