Re: findutils-4.2.15.tar.gz: signature verification problem

[James Youngman]

Nelson writes :-
> I just fetched the findutils-4.2.15.tar.gz distribution from
> ftp://ftp.gnu.org/gnu/findutils, along with its .sig file.
> 
> An initial attempt to verify the signature failed because there were
> no keys for ID 0x13141C36 on my key ring.  I tried about five
> different key servers before finding one that matched, installed it on
> my PGP keyring, and then got this:
[...]
>       % pgp findutils-4.2.15.tar.gz.sig
[...]
>       File 'findutils-4.2.15.tar.gz.sig' has signature, but with no text.
>       Text is assumed to be in file 'findutils-4.2.15.tar.gz'.
>       WARNING: Bad signature, doesn't match file contents!
> 
>       Bad signature from user "James Youngman <address@hidden>".
> 
> I don't have a separate verification from gpg, because pgpgpg could
> not import the signature file that I got from the key server.

I think this is an FAQ.  I have CC'ed this reply to the mailing list in
case this response is helpful to others.  See
http://lists.gnu.org/archive/html/bug-findutils/2004-11/msg00010.html
and
http://lists.gnu.org/archive/html/bug-findutils/2004-10/msg00031.html
for some helpful pointers.

gpg can do it.  I don't use pgp any more.  No idea what your problem is. 


> I routinely verify archive signatures, and this is the first time that
> I've found a mismatch, which means either tampering or corruption of
> the distribution files.

[...]
> I'm holding off on installation of this package until the signature
> issue is resolved.

Well, I hope you resolve it.    Message digests as measured at this end
(i.e. on the system used to build the releases and on which the files
are still stored) are:

$ md5sum findutils-4.2.15.tar.gz findutils-4.2.15.tar.gz.sig
a881b15aa7170aea045bf35cc92d48e7  findutils-4.2.15.tar.gz
a939da105702cc2a17cea2a73758b632  findutils-4.2.15.tar.gz.sig

$ gpg --verify findutils-4.2.15.tar.gz.sig
gpg: Signature made Sat 29 Jan 2005 00:57:14 GMT using DSA key ID
13141C36
gpg: Good signature from "James Youngman <address@hidden>"
gpg:                 aka "[jpeg image of size 4138]"

$ sha1sum findutils-4.2.15.tar.gz findutils-4.2.15.tar.gz.sig
5a9bad5680eb32419622ac068ce8c8123349eec8  findutils-4.2.15.tar.gz
fc6b4afc35ad036b842bd4b23c99524f46983849  findutils-4.2.15.tar.gz.sig

$ sha256 findutils-4.2.15.tar.gz findutils-4.2.15.tar.gz.sig
bash: sha256: command not found

$ gpg --version
gpg (GnuPG) 1.2.5
Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256
Compression: Uncompressed, ZIP, ZLIB, BZIP2

I have updated the text of the "Downloading" section of the web page at 
http://www.gnu.org/software/findutils/ to include some information about 
how the integrity of releases can be verified.  The actual web site is 
updated periodically from CVS, so you may not see the update appear on
the website for a few hours.

Regards,
James.

-- 
James Youngman
Manchester, UK.  
GPG key at http://savannah.gnu.org/people/viewgpg.php?user_id=8931

signature.asc
Description: Digital signature