[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bug fix release to address broken nib loading...
|
From: |
Richard Frith-Macdonald |
|
Subject: |
Re: Bug fix release to address broken nib loading... |
|
Date: |
Tue, 11 Jun 2024 09:13:47 +0100 |
> On 10 Jun 2024, at 22:28, Riccardo Mottola <riccardo.mottola@libero.it> wrote:
>
> Hi,
>
> Yavor Doganov wrote:
>> Thanks for making a new release; this kind of regression is certainly
>> important enough to warrant it.
>>
>> I don't know what went wrong but it looks like the signature at
>> ftp.gnustep.org is bad:
>>
>> $ gpg --verify --verbose gnustep-gui-0.31.1.tar.gz.sig
>> gpg: enabled compatibility flags:
>> gpg: assuming signed data in 'gnustep-gui-0.31.1.tar.gz'
>> gpg: Signature made 6.06.2024 (чт) 12:39:51 EEST
>> gpg: using DSA key 83AAE47CE829A4146EF83420CA868D4C99149679
>> gpg: issuer"gnustep-maintainer@gnu.org"
>> gpg: using pgp trust model
>> gpg: BAD signature from "GNUstep Maintainer<gnustep-maintainer@gnu.org>"
>> [unknown]
>> gpg: binary signature, digest algorithm SHA1, key algorithm dsa1024
>>
>> For Debian it doesn't matter much because even a good signature is
>> rejected by current dpkg:
>>
>> dpkg-source: info: verifying ./gnustep-base_1.30.0.orig.tar.gz.asc
>> gpgv: Signature made Wed May 29 19:34:34 2024 UTC
>> gpgv: using DSA key 83AAE47CE829A4146EF83420CA868D4C99149679
>> gpgv: issuer"gnustep-maintainer@gnu.org"
>> gpgv: Note: signatures using the SHA1 algorithm are rejected
>> gpgv: Can't check signature: Bad public key
>> dpkg-source: warning: cannot verify upstream tarball signature for
>> ./gnustep-base_1.30.0.orig.tar.gz: no acceptable signature found
>>
>> I'm pretty sure I told Ivan about this some time ago. (It's not a
>> problem that impedes our work but would be nice to fix in the near
>> future.)
>
> Richard made the release... so I wonder how it was signed? I don't know if it
> was done with gnustep make or github.
> Does it verify for you, Richard?
>
> The note says it has been signed with
>
> |83AA E47C E829 A414 6EF8 3420 CA86 8D4C 9914 9679|
>
> If I manually run gpg:
>
> (moria:~/Downloads) multix% gpg --verify gnustep-gui-0.31.1.tar.gz.sig
> gpg: assuming signed data in 'gnustep-gui-0.31.1.tar.gz'
> gpg: Signature made Thu Jun 6 11:39:51 2024 CEST
> gpg: using DSA key 83AAE47CE829A4146EF83420CA868D4C99149679
> gpg: issuer "gnustep-maintainer@gnu.org"
> gpg: Can't check signature: No public key
>
> It fails with your message. The key used is correct though.
>
> Riccardo
>
> PS:
> Gorm didn't have a signature file, so I didn't upload it to ftp.
I used gpg to sign.
It seems gpg uses sha1 by default, so if we want to create a signature that has
a more modern hash algorithm, we need to specify an additional option.
So it looks like adding '--digest-algo sha256' to the gpg command line should
work to override the digest algorithm selected (I assume sha256 would be fine).