binutils-2.30.tar.xz.sig uses unpublished key

John Darrington john@darrington.wattle.id.au
Sun Jan 28 16:34:00 GMT 2018


On Sun, Jan 28, 2018 at 10:36:24AM +0700, Somchai Smythe wrote:
     binutils-2.30.tar.xz.sig uses a key that is not on any public
     keyservers I could find
     
     gpg2 --verify binutils-2.30.tar.xz.sig binutils-2.30.tar.xz
     gpg: Signature made Sat 27 Jan 2018 10:39:36 PM +07
     gpg:                using RSA key 8CC5D97DEDD6A491
     gpg: Can't check signature: No public key
     
     gpg2 --keyserver hkp://pool.sks-keyservers.net/ --recv-keys 0x8CC5D97DEDD6A491
     gpg: keyserver receive failed: No data
     
     gpg2 --keyserver hkp://keys.fedoraproject.org/ --recv-keys 0x8CC5D97DEDD6A491
     gpg: keyserver receive failed: No data
     
     gpg2 --keyserver hkp://keys.gnupg.net/ --recv-keys 0x8CC5D97DEDD6A491
     gpg: keyserver receive failed: No data
     
     gpg2 --keyserver hkp://keyserver.ubuntu.com/ --recv-keys 0x8CC5D97DEDD6A491
     gpg: keyserver receive failed: No data
     
     Where are we supposed to get the public key from?

The public keys for all released GNU tarballs can be found at 
https://ftp.gnu.org/gnu/gnu-keyring.gpg

Obviously you should not trust any signature unless the key is in a WOT that
you are personally satisfied with.

J'

-- 
Avoid eavesdropping.  Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://sourceware.org/pipermail/binutils/attachments/20180128/339f06da/attachment.sig>


More information about the Binutils mailing list