GPG problem with Tor RPM

[Chris]

Hi

On Mon 21-Mar-2005 at 04:04:13PM -0500, Roger Dingledine
wrote:
> 
> My first guess is that you're failing to import my key
> into your rpm db.

Yeah, that was my first guess too :-)

> Have you gotten this working with other programs, and
> other keys?

Yes, most of them most of the time...

> Some versions of rpm are rumored to have bugs where rpm
> --import silently fails.

Yeah I remember hearing this somewhere also...

> I just repeated these steps on my FC1 machine, and it
> claims to be missing the key too. So it's not that it's
> getting a *bad* signature, it just fails to learn about
> the key.

I have tried on FC1 and FC3, same results.

> rpm -K works fine for me on my RC73 machine (where rpm
> actually uses gpg).

Ahh, interesting, perhaps we should check the Red Hat
bugzilla...

> In any case, I double-checked and the rpms available
> from tor.eff.org are still in fact the ones that I
> uploaded, so I think all is well on that front.

Yeah, I wasn't too woried about this ;-)

> This is why I've been pushing Jeff Moe (cc'ed) to handle
> our RPM distribution. I'm just winging it, and tend to
> put actual Tor development higher priority. :)

That sounds like a fine plan!

> >   cd `rpm --eval '%{_sourcedir}'`
> > 
> >   wget http://tor.eff.org/dist/tor-0.0.9.5.tar.gz.asc
> > 
> >   gpg --verify tor-0.0.9.5.tar.gz.asc 
> >   gpg: Signature made Wed 23 Feb 2005 06:33:29 GMT using DSA key ID 28988BF5
> >   gpg: BAD signature from "Roger Dingledine <arma at mit.edu>"
> 
> Right, this is because our "make dist-rpm" builds its
> own tarball and then makes an rpm out of it. So it won't
> use the same tarball as is uploaded to the site.

Ah, I see.

> If anybody wants to submit a patch to make it use the
> official tarball, that would be great.

Well I'm sorry to say that I'm probably not up to doing
that... 

Thanks

Chris

-- 
Aktivix -- Free Software for a Free World