Bad signatures issued on macOS
NIIBE Yutaka
gniibe at fsij.org
Tue Feb 24 01:30:03 CET 2026
Jordan Martinez wrote:
> Using 2.5.17, I tried verifying the same signature 100 times via a script
> and got a bad signature on each attempt. Here's how I ran such a test. Let
> me know whether or not this is a valid test run.
It is a valid test run.
My debug showed that the key used for signature validation was wrong for
some reason. I was not possible to determine why wrong key was selected.
If it is possible to share the public key in question (6E628CC4145FD2ED)
and the signature (a single signature is enough) with input, please send
me those. ** Please never send the private key. **
# I tried to find the key on public keyservers and WKD, but it's not
# available.
If it is not possible, please investigate the public key.
* Is the subkey expired?
* Is the subkey revoked?
* Is the subkey qualified for modern use cases?
(For example, it's possible to have short key length in current standard.)
I think that one of those could be a reason why wrong key was selected.
There might be other possibilities.
--
More information about the Gnupg-users
mailing list