Verifying signature via GPG fails
C0rn3j opened this issue · comments
Martin commented
Looks like the same issue as #359
gpg --recv-keys 9823FAA60ED1E580
gpg: key 9823FAA60ED1E580: "Greenbone Community Feed integrity key" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
curl -s -L https://github.com/greenbone/openvas/archive/v20.8.1.tar.gz -o source.tar.gz
curl -s -L https://github.com/greenbone/openvas/releases/download/v20.8.1/openvas-20.8.1.tar.gz.sig -o source.tar.gz.sig
gpg --verify source.tar.gz.sig source.tar.gz
---
gpg: Signature made Tue 02 Feb 2021 14:42:05 CET
gpg: using RSA key 9823FAA60ED1E580
gpg: BAD signature from "Greenbone Community Feed integrity key" [unknown]
It looks like the old releases are also affected, or I am doing something seriously wrong, as the archive dates for this one really seem to be from 17 Jul 2019
.
curl -s -L https://github.com/greenbone/openvas/archive/v6.0.1.tar.gz -o source.tar.gz
curl -s -L https://github.com/greenbone/openvas/releases/download/v6.0.1/openvas-6.0.1.tar.gz.sig -o source.tar.gz.sig
gpg --verify source.tar.gz.sig source.tar.gz
---
gpg: Signature made Wed 17 Jul 2019 16:50:08 CEST
gpg: using RSA key 9823FAA60ED1E580
gpg: BAD signature from "Greenbone Community Feed integrity key" [unknown]
Juan José Nicola commented