tahoe 1.16.0

Chad Dougherty crd at acm.org
Sun Oct 24 01:10:08 UTC 2021


On 2021-10-23 03:31, Jeffrey Walton wrote:
> On Sat, Oct 23, 2021 at 3:25 AM jg71 <jg71 at p8d.org> wrote:
>>
>> * Chad Dougherty <crd at acm.org> wrote:
>>
>>> There appear to be some problems with the signature on the new release
>>> tarball:
>>> $ gpg tahoe-lafs-1.16.0.tar.gz.asc
>>> gpg: assuming signed data in `tahoe-lafs-1.16.0.tar.gz'
>>> gpg: Signature made Tue Oct 19 19:38:15 2021 EDT using RSA key ID 128069A7
>>> gpg: BAD signature from "meejah <meejah at meejah.ca>"
>>
>> cannot reproduce:
>>
>> $ gpg2 tahoe-lafs-1.16.0.tar.gz.asc
> 
> gpg versus gpg2?
> 
> Ubuntu is still shipping gpg:
> 
> $ lsb_release -a
> Distributor ID:    Ubuntu
> Description:    Ubuntu 20.04.3 LTS
> ...
> 
> $ command -v gpg
> /usr/bin/gpg
> $ command -v gpg2
> $
> 

Somehow, I wound up with a corrupted tarball even after trying several 
times the other day.  Here's what I see:
$ sha256sum.exe tahoe-lafs-1.16.0.tar.gz{,.bad}
0b1e05269b698dcae6b60c7bfa11f10f4e3aa07a681242a66d294aa4b7513525 
*tahoe-lafs-1.16.0.tar.gz
81fb7ae0afe312108dcb150d2b8619b8f6ce81a3f5c1b9d5194e162addbc9f08 
*tahoe-lafs-1.16.0.tar.gz.bad
$ file tahoe-lafs-1.16.0.tar.gz{,.bad}
tahoe-lafs-1.16.0.tar.gz:     gzip compressed data, was 
"dist/tahoe-lafs-1.16.0.tar", last modified: Tue Oct 19 23:28:56 2021, 
max compression, original size modulo 2^32 7946240
tahoe-lafs-1.16.0.tar.gz.bad: gzip compressed data, from Unix, original 
size modulo 2^32 1802556

I just tried again now and the signature verifies with both gpg and gpg2:
$ gpg2 tahoe-lafs-1.16.0.tar.gz.asc
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: assuming signed data in 'tahoe-lafs-1.16.0.tar.gz'
gpg: Signature made Tue Oct 19 19:38:15 2021 EDT
gpg:                using RSA key 9D5A2BD5688ECB889DEBCD3FC2602803128069A7
gpg: Good signature from "meejah <meejah at meejah.ca>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the 
owner.
Primary key fingerprint: 9D5A 2BD5 688E CB88 9DEB  CD3F C260 2803 1280 69A7
$ gpg tahoe-lafs-1.16.0.tar.gz.asc
gpg: assuming signed data in `tahoe-lafs-1.16.0.tar.gz'
gpg: Signature made Tue Oct 19 19:38:15 2021 EDT using RSA key ID 128069A7
gpg: Good signature from "meejah <meejah at meejah.ca>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the 
owner.
Primary key fingerprint: 9D5A 2BD5 688E CB88 9DEB  CD3F C260 2803 1280 69A7


Sorry for what was likely a false alarm although I suppose there's a 
chance that something was genuinely going wrong.

-- 
     -Chad


More information about the tahoe-dev mailing list