[Savannah-users] Savannah's x.509 certificate fingerprints

[Taylor R Campbell]

I just fetched Savannah's x.509 certificates from
<http://savannah.gnu.org/tls/> and verified the signed PGP message
containing the fingerprints.  I first noticed that that there's a
fingerprint for `cvs.*gnu.org', without any link to a certificate
above.  Then I checked the fingerprints on all the certificates, and
found that while the certificate authority matched the fingerprint
listed in the signed PGP message, the other two didn't.  Here are the
fingerprints that the signed PGP message claims:

savannah.gnu.org:
* SHA1 Fingerprint=59:62:0B:EF:A2:AA:FE:C1:6B:39:CB:A5:90:65:42:F5:81:A2:AE:A9
* MD5 Fingerprint=93:9C:BC:3C:2D:7C:42:D4:B1:15:B1:B6:B6:ED:EC:A0
savannah.nongnu.org:
* SHA1 Fingerprint=B9:8A:FE:4B:B8:B5:27:BF:44:71:7A:28:23:19:38:3A:34:E6:83:E0
* MD5 Fingerprint=07:EA:E7:86:B0:0F:F0:0F:7F:AC:82:2C:2E:F2:1B:C3

Here are the actual fingerprints that I obtained with `openssl x509
-fingerprint -noout -in ...', with and without the `-sha1' option to
alter between MD5 and SHA1:

savannah.gnu.org:
* SHA1 Fingerprint=5C:09:4A:82:12:06:20:89:CF:5F:F2:FC:AE:6A:2C:54:7B:8E:EA:5E
* MD5 Fingerprint=E2:4A:D7:0D:5F:53:A2:54:3A:CA:8B:01:DD:60:91:A4
savannah.nongnu.org:
* SHA1 Fingerprint=CA:06:57:BF:5B:35:94:0E:98:1B:28:81:83:47:BB:07:F4:EC:7B:D1
* MD5 Fingerprint=52:34:FD:6B:42:19:0A:E3:AD:8D:85:37:FF:ED:1B:72

I'm not wizardly enough with OpenSSL to make it verify whether a
certificate was, in fact, signed by an issuer, to check the validity
of the savannah.gnu.org and savannah.nongnu.org certificates against
Savannah's certificate authority.  I don't doubt that they were, but
is there any reason why the fingerprints do not match?