Verifying signature via GPG fails
rbreejen opened this issue · comments
Rogier den Breejen commented
Looks like the same issue as #359 and #666. I am not able to verify Openvas v20.8.0.
Tried upgrading to v20.8.1 as an alternative, but that version is incompatible with Ubuntu 20.04 (libgnutls 3.6.13 < required libgnutls 3.6.4).
gpg --recv-keys 9823FAA60ED1E580
gpg: key 9823FAA60ED1E580: "Greenbone Community Feed integrity key" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
curl -s -L https://github.com/greenbone/openvas-scanner/archive/refs/tags/v20.8.0.tar.gz -o source.tar.gz
curl -s -L https://github.com/greenbone/openvas-scanner/releases/download/v20.8.0/openvas-20.8.0.tar.gz.sig -o source.tar.gz.sig
gpg --verify source.tar.gz.sig source.tar.gz
---
gpg: Signature made di 11 aug 15:01:32 2020 CEST
gpg: using RSA key 9823FAA60ED1E580
gpg: BAD signature from "Greenbone Community Feed integrity key" [unknown]
Juan José Nicola commented
Hi @rbreejen
Old signatures were replaced. Thanks for reporting.