On la, 18 syys 2021, Patrick Northon via FreeIPA-users wrote:
Hi, I'm having a problem verifying the signature of the latest
release
(4.9.7), did something change with how it is signed?
Previous releases work fine:
gpg: Signature made mar 29 jun 2021 11:32:36 EDT
gpg: using RSA key 840A1D1C7F3EC4B2FE5304354719E2B8ABBF621A
gpg: Good signature from "FreeIPA Master Signing Key" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0E63 D716 D76A C080 A4A3 3513 F408 00B6 298E B963
Subkey fingerprint: 840A 1D1C 7F3E C4B2 FE53 0435 4719 E2B8 ABBF 621A
Current release:
gpg: Signature made jeu 19 aoû 2021 11:23:09 EDT
gpg: using RSA key FAF42668FC4263CD83C365149F853DF24BC2DFE1
gpg: Can't check signature: No public key
Was it signed with a different key?
Yes, it was signed with a different subkey by François Cami as I was on
a vacation and wasn't available to do the release.
I guess François forgot to publish this subkey to GPG servers.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland