Announce: OpenSSH 7.6 released

Phil Pennock phil.pennock at globnix.org
Wed Oct 4 09:58:41 AEDT 2017


On 2017-10-03 at 14:50 -0600, Damien Miller wrote:
> Please note that the SHA256 signatures are base64 encoded and not
> hexadecimal (which is the default for most checksum tools). The PGP
> key used to sign the releases is available as RELEASE_KEY.asc from
> the mirror sites.

Of the two up-to-date mirrors with 7.6 I can find:
  rsync://openbsd.cs.toronto.edu/openbsd/OpenSSH/portable/
  https://fastly.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/
neither has a "RELEASE_KEY.asc" file.

There's:  DJM-GPG-KEY.asc

For the Fastly case, I've confirmed that this is not a stale cached
index issue and that putting in RELEASE_KEY.asc as a filename yields a
404.

The file "DJM-GPG-KEY.asc" contains the PGP key 0xCE8ECB0386FF9C48 which
was revoked in 2013.  The signature I do see on the release was made
with PGP key 0xD3E5F56B6D920D30, which was created the same day.

I have a trust-path to the key 0xD3E5F56B6D920D30 so I'm good, but
something seems to have gone askew here.

-Phil


More information about the openssh-unix-dev mailing list