Page MenuHome GnuPG
Create Task
Maniphest T453

1.4.x fails to check the spamassassin tarball signature file
Closed, ResolvedPublic
Actions

Description

Release: 1.4.0

Environment

GNU/Linux, glibc-2.3.4, kernel 2.6.11

Description

gnupg-1.4.0 fails to check the spamassassin 3.0.2 tarball detached signature. 1.2.4 checks it without problems. Below is an email exchange with the spamassassin authors.
For example, check these:
http://apache.usp.br/spamassassin/source/Mail-SpamAssassin-3.0.2.tar.bz2
http://www.apache.org/dist/spamassassin//Mail-SpamAssassin-3.0.2.tar.bz2.asc

Andreas Hasenack writes:
> $ gpg --verify Mail-SpamAssassin-3.0.2.tar.bz2.asc
> gpg: Signature made Qui 16 Dez 2004 01:57:48 BRST using DSA key ID
> 265FA05B
> gpg: BAD signature from "SpamAssassin Signing Key <release@spamassassin.org>"
>
> $ md5sum Mail-SpamAssassin-3.0.2.tar.bz2
> b373bc48c4f50b70cb784f40d88868bf Mail-SpamAssassin-3.0.2.tar.bz2
>
> I downloaded it from http://ftp.pucpr.br/apache/spamassassin/source/

it might be worthwhile checking that version of gpg. ISTR hearing
from someone recently that their sig verification failed until
they upgraded gpg. Here's the results with 1.2.5:

: jm 61...; gpg --verify ~/DL/Mail-SpamAssassin-3.0.2.tar.bz2.asc
gpg: Signature made Wed Dec 15 19:57:48 2004 PST using DSA key ID 265FA05B
gpg: Good signature from "SpamAssassin Signing Key <release@spamassassin.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 26C9 00A4 6DD4 0CD5 AD24 F6D7 DEE0 1987 265F A05B

: jm 64...; gpg --version
gpg (GnuPG) 1.2.5
Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256
Compression: Uncompressed, ZIP, ZLIB, BZIP2

For paranoia, here's the sha1 and md5 sums that you should see,
both on the website and when you sum the file:

sha1sum Mail-SpamAssassin-3.0.2.tar.bz2
1e23f36a0820a6e9e7d9d43262607f3984db2724 Mail-SpamAssassin-3.0.2.tar.bz2

md5sum Mail-SpamAssassin-3.0.2.tar.bz2
b373bc48c4f50b70cb784f40d88868bf Mail-SpamAssassin-3.0.2.tar.bz2

How To Repeat

Just check the detached signature of the spamassassin tarball with gnupg-1.4.0 (perhaps 1.4.x?).

Event Timeline

andreas2 added projects: gnupg, Bug Report.Apr 22 2005, 6:18 PM
dshaw closed this task as Resolved.Apr 22 2005, 7:16 PM
dshaw added a subscriber: dshaw.

The spamassassin folks are making --textmode signatures.
Since a tarball is not text, this isn't going to work too
well. I've sent them a note about it.