Verifying signature via GPG fails

Question

Verifying signature via GPG fails

C0rn3j opened this issue 3 years ago · comments

Looks like the same issue as #359

gpg --recv-keys 9823FAA60ED1E580
gpg: key 9823FAA60ED1E580: "Greenbone Community Feed integrity key" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

curl -s -L https://github.com/greenbone/openvas/archive/v20.8.1.tar.gz -o source.tar.gz
curl -s -L https://github.com/greenbone/openvas/releases/download/v20.8.1/openvas-20.8.1.tar.gz.sig -o source.tar.gz.sig
gpg --verify source.tar.gz.sig source.tar.gz
---
gpg: Signature made Tue 02 Feb 2021 14:42:05 CET
gpg:                using RSA key 9823FAA60ED1E580
gpg: BAD signature from "Greenbone Community Feed integrity key" [unknown]

It looks like the old releases are also affected, or I am doing something seriously wrong, as the archive dates for this one really seem to be from 17 Jul 2019.

curl -s -L https://github.com/greenbone/openvas/archive/v6.0.1.tar.gz -o source.tar.gz
curl -s -L https://github.com/greenbone/openvas/releases/download/v6.0.1/openvas-6.0.1.tar.gz.sig -o source.tar.gz.sig
gpg --verify source.tar.gz.sig source.tar.gz
---
gpg: Signature made Wed 17 Jul 2019 16:50:08 CEST
gpg:                using RSA key 9823FAA60ED1E580
gpg: BAD signature from "Greenbone Community Feed integrity key" [unknown]

Juan José Nicola · Answer 1 · Tue Feb 23 2021 18:20:28 GMT+0800 (China Standard Time)

Hi @C0rn3j
Thanks for reporting this. Indeed, it is the same issue as #359. We change the repository name and that broke the signature.
I have just replace the signature files with the new ones.