Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Signatures don't match with Release media signatures page?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
Marklar
n00b
n00b


Joined: 08 Feb 2019
Posts: 1

PostPosted: Thu Apr 04, 2019 9:03 pm    Post subject: Signatures don't match with Release media signatures page? Reply with quote

Hello, Gentoo forums:

I've downloaded:

    install-amd64-minimal-20190403T214503Z.iso
    install-amd64-minimal-20190403T214503Z.iso.CONTENTS
    install-amd64-minimal-20190403T214503Z.iso.DIGESTS
    install-amd64-minimal-20190403T214503Z.iso.DIGESTS.asc
    stage3-amd64-20190403T214503Z.tar.xz
    stage3-amd64-20190403T214503Z.tar.xz.CONTENTS
    stage3-amd64-20190403T214503Z.tar.xz.DIGESTS
    stage3-amd64-20190403T214503Z.tar.xz.DIGESTS.asc

in my Linux system; I'd like to try to install Gentoo.

But after:
Code:

# gpg --verify install-amd64-minimal-20190403T214503Z.iso.DIGESTS.asc

and:
Code:

# gpg --verify stage3-amd64-20190403T214503Z.tar.xz.DIGESTS.asc

both files are signed by key RSA ID B9F6043D (and this key isn't in the Release media signatures page!?).

I'm using gpg 1.4.23, and all downloaded files passed the sha512 and whirlpool hashes, BTW.

I've stopped installing Gentoo for now... have I done something wrong?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5761

PostPosted: Fri Apr 05, 2019 2:58 pm    Post subject: Reply with quote

This seems like a valid concern. FWIW I can't find that key ID among the Gentoo-related ones installed on the system, nor any subkeys. Best to wait for someone responsible for these things to answer.
Back to top
View user's profile Send private message
GumbyTM
n00b
n00b


Joined: 30 Jun 2019
Posts: 2

PostPosted: Mon Jul 01, 2019 1:54 am    Post subject: Reply with quote

I had the same issue and actually started a new thread before finding yours.

https://forums.gentoo.org/viewtopic-t-1098788.html

(Lost a few hours today and feel dumb.)

The key shown appears to be a subkey of the primary key listed on the signatures page what you are seeing is the short name of the sub key.

534E 4209 AB49 EEE1 C19D 9616 2C44 695D B9F6 043D

Code:

gpg: Signature made Wed 26 Jun 2019 10:45:51 PM EDT
gpg:                using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D
gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910
     Subkey fingerprint: 534E 4209 AB49 EEE1 C19D  9616 2C44 695D B9F6 043D


You can reimport the key listed on the main page and the subkey should be recognized afterwards.

Code:

gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys "13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910"



Please note how I've said 'appears' as this is all based on my own experience and observation. Hope this helps.
Back to top
View user's profile Send private message
coderanger
n00b
n00b


Joined: 19 Sep 2018
Posts: 3

PostPosted: Tue Jul 02, 2019 2:39 pm    Post subject: Reply with quote

Looks like it was an issue on key server at that time, other people also observed the problem
https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum