openssh-4.1p1.tar.gz.asc has bad signature?

Darren Tucker dtucker at zip.com.au
Sun May 29 12:18:48 EST 2005


Matt Goebel wrote:
> #tcsh#machine# gpg --verify openssh-4.1p1.tar.gz.asc openssh-4.1p1.tar.gz
> gpg: Signature made Wed May 25 08:26:24 2005 EDT using DSA key ID 86FF9C48
> gpg: BAD signature from "Damien Miller (Personal Key) <djm at mindrot.org>"

 From the datestamps it looks like the signature has been updated.  The 
current one does verify.

There was a last-minute change to the tarball and I suspect the 
signature were not updated at the time of the release.

$ gpg --verify openssh-4.1p1.tar.gz.asc openssh-4.1p1.tar.gz
gpg: Signature made Thu 26 May 2005 06:31:21 PM EST using DSA key ID 
86FF9C48
gpg: Good signature from "Damien Miller (Personal Key) <djm at mindrot.org>"

$ openssl sha1 openssh-4.1p1.tar.gz openssh-4.1p1.tar.gz.asc
SHA1(openssh-4.1p1.tar.gz)= e85d389da8ad8290f5031b8f9972e2623c674e46
SHA1(openssh-4.1p1.tar.gz.asc)= 1e59229f4ca6eb5aa0a3f13aeee8150559b98139

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list