Announce: OpenSSH 7.6 released
Phil Pennock
phil.pennock at globnix.org
Wed Oct 4 09:58:41 AEDT 2017
On 2017-10-03 at 14:50 -0600, Damien Miller wrote:
> Please note that the SHA256 signatures are base64 encoded and not
> hexadecimal (which is the default for most checksum tools). The PGP
> key used to sign the releases is available as RELEASE_KEY.asc from
> the mirror sites.
Of the two up-to-date mirrors with 7.6 I can find:
rsync://openbsd.cs.toronto.edu/openbsd/OpenSSH/portable/
https://fastly.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/
neither has a "RELEASE_KEY.asc" file.
There's: DJM-GPG-KEY.asc
For the Fastly case, I've confirmed that this is not a stale cached
index issue and that putting in RELEASE_KEY.asc as a filename yields a
404.
The file "DJM-GPG-KEY.asc" contains the PGP key 0xCE8ECB0386FF9C48 which
was revoked in 2013. The signature I do see on the release was made
with PGP key 0xD3E5F56B6D920D30, which was created the same day.
I have a trust-path to the key 0xD3E5F56B6D920D30 so I'm good, but
something seems to have gone askew here.
-Phil
More information about the openssh-unix-dev
mailing list