[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Unable to verify file integrity of which source tarball

From: Rolando Garza C.
Subject: Re: Unable to verify file integrity of which source tarball
Date: Fri, 11 Mar 2022 15:16:29 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0

It is currently not possible to verify file integrity of the "which"
packages hosted on gnu.org (https://ftp.gnu.org/gnu/which/).

gpg --keyserver keyserver.ubuntu.com --recv-keys
6FD2C61D624ACAD5 gpg: Total number processed: 1
gpg:     skipped PGP-2 keys: 1

I did a deep-dive trying to find the old signing public key (0x6FD2C61D624ACAD5, or by the short handle of 624ACAD5); it can be found by using the Internet Archive [0].

Also, I haven't been able to inspect the downloaded key, but I did find an online source that listed the fingerprint as:

    32 EC A7 B6 AC DB 65 A6  F6 F6 55 DD 1C DC FF 61
    (32ECA7B6ACDB65A6F6F655DD1CDCFF61 for short)

It seems it might be required to download and compile gnupg-1.4.23 to try to import the old signature with the old binary pgp2 format [1].

However, I was unable to build gnupg-1.4.23 (I got some weird errors, but I may try to build it again at a later date); coincidentally, it was also signed with Werner Koch's old signing key, with fingerprint:


Anyhow, is there a chance, Carlo, that the newest version of which be re-signed with your new signing key?

Kind regards,


[0]: https://web.archive.org/web/20150912123014if_/http://savannah.gnu.org/project/memberlist-gpgkeys.php?group=which&download=1

[1]: https://unix.stackexchange.com/questions/404879/converting-old-pgp-keys-to-gpg-resolved#comment724527_404879

Rolando Garza

Attachment: OpenPGP_0xE726BC7BEF39923D.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]