[gnutls-devel] GnuTLS | gnutls 3.7.8 tarball signed with different key than announced (#1410)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Sat Oct 1 19:01:36 CEST 2022



brandon kane created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1410



## Description of problem:
When attempting to verify the tarball signature, key A6AB53A01D237A94F9EEC4D0412748A40AFCC2FB is found with not match to the gnutls keyring.  This also differs from the email announcement, stating key E987AB7F7E89667776D05B3BB0E9DD20B29F1432 was used.  Other two keys used match the keyring

## Version of gnutls used:
3.7.8

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Gnutls direct download

## How reproducible:
download 3.7.8 tarball and sig.  Open Kleopatra and verify tarball.

## Actual results:
Signatures found are:
5D46CB0F763405A7053556F47A75A648B3F9220C
462225C3B46F34879FC8496CD605848ED7E69871
A6AB53A01D237A94F9EEC4D0412748A40AFCC2FB 
Last one is not present in gnutls keyring located at https://www.gnutls.org/gnutls-release-keyring.gpg

## Expected results:
Signatures found should be(according to 9/27 announcement):
5D46CB0F763405A7053556F47A75A648B3F9220C
462225C3B46F34879FC8496CD605848ED7E69871
E987AB7F7E89667776D05B3BB0E9DD20B29F1432
These three are all present in the keyring

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1410
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20221001/1678b9d4/attachment.html>


More information about the Gnutls-devel mailing list