Tor Distros Repository Problems (serious!)
Erinn Clark
erinn at torproject.org
Tue Jan 18 05:32:15 UTC 2011
* wirelesssnowman at Safe-mail.net <wirelesssnowman at Safe-mail.net> [2011:01:17 22:46 -0500]:
> *BOTH* files are *EXACTLY* the *SAME*! They are the public key from
> the would be signer, but the .asc files are NOT the correctly signed
> files from the signer's public key. The .asc files are WORTHLESS and
> gpg issues an error if you try and verify the .asc files:
>
> #gpg: verify signatures failed: Unexpected error
>
> Why? Because it's not a valid signature at all, it's a duplicate copy of the public key which is also found in RPM-GPG-KEY-torproject.org !
What happens when you verify it with 'rpm -K file.rpm'? The signatures made for
the rpms are made with rpm, not gpg, though it is a gpg key in the backend.
Please read this page to understand how rpms are signed:
http://www.vitki.net/ru/book/page/how-create-yum-repository
And see the commands listed here in the rpm {--addsign} part:
http://www.tin.org/bin/man.cgi?section=8&topic=rpmsign
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110118/49c71ab5/attachment.pgp>
More information about the tor-talk
mailing list