https://bugzilla.redhat.com/show_bug.cgi?id=1821120
Bob Hepple bob.hepple@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(bob.hepple@gmail. | |com) |
--- Comment #4 from Bob Hepple bob.hepple@gmail.com --- Hi Lyes,
I've spent most of this morning studying up on the %gpgverify issue and I just can't get it to work.
Note that AFAICS the .sig on the releases page does not refer to Source0 but to some arbitrary tarball wlogout.tar.gz that the author uploaded:
$ ll wlogout-1.1.1.tar.gz wlogout.tar.gz -rw-rw-r--. 1 bhepple bhepple 540189 Apr 6 14:07 wlogout-1.1.1.tar.gz -rw-rw-r--. 1 bhepple bhepple 624640 Apr 20 11:39 wlogout.tar.gz
Having downloaded the author's public key, it does not verify that file:
$ gpgv --keyring ./gpg-key-F4FDB18A9937358364B276E9E25D679AF73C6D2F.gpg wlogout.tar.gz.sig wlogout.tar.gz gpgv: Signature made Sat 14 Mar 2020 15:37:44 AEST gpgv: using RSA key F4FDB18A9937358364B276E9E25D679AF73C6D2F gpgv: [don't know]: invalid packet (ctb=2d) gpgv: keydb_search failed: Invalid packet gpgv: [don't know]: invalid packet (ctb=2d) gpgv: keydb_search failed: Invalid packet gpgv: Can't check signature: No public key
The wlogout.tar.gz does not actually download as a gzipped tarball but as a plain tarball - so it's pretty suspicious!
In any case I think we want to be working with Source0 as that's a tarball generated by github from the repo automatically.
Any ideas?