openssh-4.1p1.tar.gz.asc has bad signature?

Damien Miller djm at mindrot.org
Sun May 29 17:25:50 EST 2005


Darren Tucker wrote:
>  From the datestamps it looks like the signature has been updated.  The 
> current one does verify.
> 
> There was a last-minute change to the tarball and I suspect the 
> signature were not updated at the time of the release.

Close - the release scripts now sign the tar.gz files directly with
gzsig[1], but I erroneously added this *after* the gpg/sha1 signature
generation. Since it modified the .gz file, it broke the signature.

This was noticed very quickly, but getting the updated signature
distributed to the mirrors took some time because the master ftp
server had "issues".

-d

[1]
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/gzsig/
http://monkey.org/~dugsong/gzsig-1.0.tar.gz




More information about the openssh-unix-dev mailing list