Tor Distros Repository Problems (serious!)

Erinn Clark erinn at
Tue Jan 18 05:32:15 UTC 2011

* wirelesssnowman at <wirelesssnowman at> [2011:01:17 22:46 -0500]: 
> *BOTH* files are *EXACTLY* the *SAME*! They are the public key from
> the would be signer, but the .asc files are NOT the correctly signed
> files from the signer's public key. The .asc files are WORTHLESS and
> gpg issues an error if you try and verify the .asc files:
> #gpg: verify signatures failed: Unexpected error
> Why? Because it's not a valid signature at all, it's a duplicate copy of the public key which is also found in !

What happens when you verify it with 'rpm -K file.rpm'? The signatures made for
the rpms are made with rpm, not gpg, though it is a gpg key in the backend.

Please read this page to understand how rpms are signed:

And see the commands listed here in the rpm {--addsign} part:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <>

More information about the tor-talk mailing list