[SOLVED] PGP reads bad signature from SlackBuilds.org

cfdisk · 03-14-2013, 11:41 AM

Hello,

I can't verify pwgen signature from SlackBuilds

Code:

[mike:~/build]$ gpg pwgen.tar.gz.asc 
Detached signature.
Please enter name of data file: pwgen-2.06.tar.gz 
gpg: Signature made Wed 27 Apr 2011 07:05:54 PM EDT using DSA key ID 9C7BA3B6
gpg: BAD signature from "SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org>"

I checked it twice and I guess there was no mistakes on my side because another script, fakeroot, verifies:

Code:

[mike:~/build]$ gpg fakeroot.tar.gz.asc 
gpg: Signature made Wed 27 Apr 2011 07:15:45 PM EDT using DSA key ID 9C7BA3B6
gpg: Good signature from "SlackBuilds.org Development Team <slackbuilds-devel@slackbuilds.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D307 6BC3 E783 EE74 7F09  B8B7 0368 EF57 9C7B A3B6

Just in case, this is my folder:

Code:

[mike:~/build]$ ls -l                         
total 48
-rw-r--r-- 1 mike users  2370 Feb  6  2007 GPG-KEY
-rw-r--r-- 1 mike users  2488 Mar 14 11:22 fakeroot.tar.gz
-rw-r--r-- 1 mike users   198 Apr 27  2011 fakeroot.tar.gz.asc
-rw-r--r-- 1 mike users 30952 Mar 14 11:50 pwgen-2.06.tar.gz
-rw-r--r-- 1 mike users   198 Apr 27  2011 pwgen.tar.gz.asc

Could you please look into the matter?

Thanks in advance.

M.

T3slider · 03-14-2013, 11:47 AM

I'm no expert, but I believe you are trying to manually use the pwgen.tar.gz.asc file to verify the *source* pwgen-2.06.tar.gz file since the SBo pwgen.tar.gz file is missing. SBo's signatures verify the SlackBuild tarballs, not the source (the source is indirectly verified by the md5sum contained in the verified SlackBuild tarball, in the pwgen.info file). Download the correct file and re-verify and it should all work out.

cfdisk · 03-14-2013, 11:54 AM

Thanks, T3slider!

You are right.