GPG verification keys don't match
Mark Peloquin
markus at cs.wisc.edu
Sat Apr 11 01:01:02 CEST 2020
Since TeX Live is distributed over HTTP (at least the mirror closest to me), I thought I'd add signature verification to my update script. However, the signing key doesn't look right. I checked a mirror and the main ctan.org, and also a couple different .asc files. They both show 4CE1877E19438C70 as the public key:
% gpg --verify -v install-tl-windows.exe.sha512.asc
gpg: WARNING: unsafe permissions on homedir '/home/peloquin/.gnupg'
gpg: assuming signed data in 'install-tl-windows.exe.sha512'
gpg: Signature made 2020-04-06T05:51:16 PDT
gpg: using RSA key 4CE1877E19438C70
gpg: Can't check signature: No public key
But this shows that it should be 0D5E5D9106BAB6BC:
https://www.tug.org/texlive/doc/tlmgr.html#CRYPTOGRAPHIC-VERIFICATION
I found the incorrect key appear before in this mailing list. The reply says 'the actual signature file is broken':
https://tug.org/pipermail/tex-live/2018-September/042441.html
https://tug.org/pipermail/tex-live/2018-September/042446.html
Markus
More information about the tex-live
mailing list.