Signature check failing

Question

Signature check failing

DaveWhoHasARadarGun opened this issue 3 years ago · 2 comments

DaveWhoHasARadarGun commented 3 years ago

Here's the CLI output, thanks in advance for your help with this issue. Let me know if there's any additional information you need:

+ cd /usr/local/src/nginx/build
++ mktemp -d
+ GNUPGHOME=/tmp/tmp.aIGYPxXeaG
+ export GNUPGHOME
+ gpg --keyserver keyserver.ubuntu.com --recv-keys 45F68D54BBE23FB3039B46E59766E084FB0F43D8 5ED46A6721D365587791E2AA783FCD8E58BCAFBA 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C B0F4253373F8F6F510D42178520A9993A1C052F8
gpg: keybox '/tmp/tmp.aIGYPxXeaG/pubring.kbx' created
gpg: /tmp/tmp.aIGYPxXeaG/trustdb.gpg: trustdb created
gpg: key 520A9993A1C052F8: public key "Maxim Dounin <mdounin@mdounin.ru>" imported
gpg: key D5E9E43F7DF9EE8C: public key "Richard Levitte <richard@levitte.org>" imported
gpg: key 783FCD8E58BCAFBA: public key "Mark Adler <madler@alumni.caltech.edu>" imported
gpg: key 9766E084FB0F43D8: 3 duplicate signatures removed
gpg: key 9766E084FB0F43D8: public key "Philip Hazel <Philip.Hazel@gmail.com>" imported
gpg: Total number processed: 4
gpg:               imported: 4
+ gpg --batch --verify pcre.tar.gz.sig pcre.tar.gz
gpg: Signature made Tue 15 Jun 2021 12:14:56 PM EDT
gpg:                using RSA key 45F68D54BBE23FB3039B46E59766E084FB0F43D8
gpg: Good signature from "Philip Hazel <Philip.Hazel@gmail.com>" [unknown]
gpg:                 aka "Philip Hazel <ph10@hermes.cam.ac.uk>" [unknown]
gpg:                 aka "Philip Hazel <ph10@cam.ac.uk>" [unknown]
gpg:                 aka "Philip Hazel <ph10@cus.cam.ac.uk>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 45F6 8D54 BBE2 3FB3 039B  46E5 9766 E084 FB0F 43D8
+ gpg --batch --verify zlib.tar.gz.asc zlib.tar.gz
gpg: Signature made Sun 15 Jan 2017 12:44:35 PM EST
gpg:                using DSA key 783FCD8E58BCAFBA
gpg: Good signature from "Mark Adler <madler@alumni.caltech.edu>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5ED4 6A67 21D3 6558 7791  E2AA 783F CD8E 58BC AFBA
+ gpg --batch --verify openssl.tar.gz.asc openssl.tar.gz
gpg: Signature made Tue 14 Dec 2021 11:16:29 AM EST
gpg:                using RSA key 8657ABB260F056B1E5190839D9C4D26D0E604491
gpg: Can't check signature: No public key

and then it returns to the CLI prompt.

Answer 1 · 2022-01-04T17:50:55.000Z

I was able to get this working by using the key that was removed in the last commit (d062a6c). Additionally, I used the keyserver at pgp.mit.edu, I'm not sure if the key change would have worked with keyserver.ubuntu.com

Answer 2 · 2022-02-12T02:57:44.000Z

It's because OpenSSL has a couple of people that can sign releases. It's not uncommon for one version to be signed by one of them and the next by another. Currently, the OMC members that sign releases include Richard Levitte and Matt Caswell per https://www.openssl.org/source/.

This page includes the PGP Key IDs of the members of the OpenSSL Management Committee: https://www.openssl.org/community/omc.html

I've reverted the earlier change as it has swapped back to who I had before. It's quite likely this will occur again at some point when OpenSSL versions change.