GPG verification keys don't match
Norbert Preining
norbert at preining.info
Sat Apr 11 02:48:07 CEST 2020
Hi,
On Fri, 10 Apr 2020, Mark Peloquin wrote:
> Since TeX Live is distributed over HTTP (at least the mirror closest to me), I thought I'd add signature verification to my update script. However, the signing key doesn't look right. I checked a mirror and the main ctan.org, and also a couple different .asc files. They both show 4CE1877E19438C70 as the public key:
>
> gpg: using RSA key 4CE1877E19438C70
> But this shows that it should be 0D5E5D9106BAB6BC:
0D5E5D9106BAB6BC = public key id
4CE1877E19438C70 = private sub key that does the signatures
As can easily be seen by doing
gpg --list-keys ID
$ gpg --list-keys 0x4CE1877E19438C70
pub rsa2048/0x0D5E5D9106BAB6BC 2016-03-19 [SC]
Key fingerprint = C78B 82D8 C795 12F7 9CC0 D7C8 0D5E 5D91 06BA B6BC
uid [ full ] TeX Live Distribution <tex-live at tug.org>
sub rsa2048/0x72A5E8C1B001980F 2016-03-19 [E]
sub rsa2048/0x4CE1877E19438C70 2016-03-19 [S] [expires: 2021-07-30]
$ gpg --list-keys 0x0D5E5D9106BAB6BC
pub rsa2048/0x0D5E5D9106BAB6BC 2016-03-19 [SC]
Key fingerprint = C78B 82D8 C795 12F7 9CC0 D7C8 0D5E 5D91 06BA B6BC
uid [ full ] TeX Live Distribution <tex-live at tug.org>
sub rsa2048/0x72A5E8C1B001980F 2016-03-19 [E]
sub rsa2048/0x4CE1877E19438C70 2016-03-19 [S] [expires: 2021-07-30]
Nothing incorrect here.
Norbert
--
PREINING Norbert https://www.preining.info
Accelia Inc. + IFMGA ProGuide + TU Wien + JAIST + TeX Live + Debian Dev
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
More information about the tex-live
mailing list.