openssh-4.1p1.tar.gz.asc has bad signature?
Darren Tucker
dtucker at zip.com.au
Sun May 29 12:18:48 EST 2005
Matt Goebel wrote:
> #tcsh#machine# gpg --verify openssh-4.1p1.tar.gz.asc openssh-4.1p1.tar.gz
> gpg: Signature made Wed May 25 08:26:24 2005 EDT using DSA key ID 86FF9C48
> gpg: BAD signature from "Damien Miller (Personal Key) <djm at mindrot.org>"
From the datestamps it looks like the signature has been updated. The
current one does verify.
There was a last-minute change to the tarball and I suspect the
signature were not updated at the time of the release.
$ gpg --verify openssh-4.1p1.tar.gz.asc openssh-4.1p1.tar.gz
gpg: Signature made Thu 26 May 2005 06:31:21 PM EST using DSA key ID
86FF9C48
gpg: Good signature from "Damien Miller (Personal Key) <djm at mindrot.org>"
$ openssl sha1 openssh-4.1p1.tar.gz openssh-4.1p1.tar.gz.asc
SHA1(openssh-4.1p1.tar.gz)= e85d389da8ad8290f5031b8f9972e2623c674e46
SHA1(openssh-4.1p1.tar.gz.asc)= 1e59229f4ca6eb5aa0a3f13aeee8150559b98139
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list