Release signatures incorrect?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Release signatures incorrect?

martijn.list
Hi,

I downloaded the latest RC release from the provided link

https://github.com/roundcube/roundcubemail/releases/download/1.4.0/roundcubemail-1.4.0.tar.gz

I then downloaded the signature

https://github.com/roundcube/roundcubemail/releases/download/1.4.0/roundcubemail-1.4.0.tar.gz.asc

When I try to validate the signature gpg tells me:

gpg --verify roundcubemail-1.4.0.tar.gz.asc
gpg: assuming signed data in 'roundcubemail-1.4.0.tar.gz'
gpg: Signature made za 09 nov 2019 21:30:45 CET
gpg:                using RSA key 8970E37A698AF775D87D590DC2946A9609CD56B4
gpg:                issuer "[hidden email]"


This shows that the signer has the key id:

8970E37A698AF775D87D590DC2946A9609CD56B4

However according to the website the (short) key ID should be:

41C4F7D5

The download link for the signing key
(https://roundcube.net/download/pubkey.asc) matches the above short key id:

F3E4C04BB3DB5D4215C45F7F5AB2BAA141C4F7D5

So either the packages have been signed with a different roundcube devs
key or the packages have been modified (or I'm doing something stupid :)

Any idea?


Kind regards,

Martijn Brinkers
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Release signatures incorrect?

martijn.list
Sorry, it was the last option "I'm doing something stupid" :)

The package was signed with a sub key which I missed.

Kind regards,

Martijn Brinkers

On 11-11-19 14:19, Martijn Brinkers wrote:

> Hi,
>
> I downloaded the latest RC release from the provided link
>
> https://github.com/roundcube/roundcubemail/releases/download/1.4.0/roundcubemail-1.4.0.tar.gz
>
> I then downloaded the signature
>
> https://github.com/roundcube/roundcubemail/releases/download/1.4.0/roundcubemail-1.4.0.tar.gz.asc
>
> When I try to validate the signature gpg tells me:
>
> gpg --verify roundcubemail-1.4.0.tar.gz.asc
> gpg: assuming signed data in 'roundcubemail-1.4.0.tar.gz'
> gpg: Signature made za 09 nov 2019 21:30:45 CET
> gpg:                using RSA key 8970E37A698AF775D87D590DC2946A9609CD56B4
> gpg:                issuer "[hidden email]"
>
>
> This shows that the signer has the key id:
>
> 8970E37A698AF775D87D590DC2946A9609CD56B4
>
> However according to the website the (short) key ID should be:
>
> 41C4F7D5
>
> The download link for the signing key
> (https://roundcube.net/download/pubkey.asc) matches the above short key id:
>
> F3E4C04BB3DB5D4215C45F7F5AB2BAA141C4F7D5
>
> So either the packages have been signed with a different roundcube devs
> key or the packages have been modified (or I'm doing something stupid :)
>
> Any idea?
>
>
> Kind regards,
>
> Martijn Brinkers
>
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users