View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0026950 | mantisbt | installation | public | 2020-05-09 06:30 | 2020-06-22 06:29 |
Reporter | thomasjfox | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | confirmed | Resolution | open | ||
Product Version | 2.24.1 | ||||
Summary | 0026950: Can't verify gpg signature 2.24.1 release tarball | ||||
Description | Thanks for providing gpg keys to check the signature of a mantis release. $ gpg2 --verify mantisbt-2.24.1.tar.gz.asc mantisbt-2.24.1.tar.gz Interestingly the signature for the ZIP archive is ok: $ gpg2 --verify mantisbt-2.24.1.zip.asc mantisbt-2.24.1.zip No content has been tampered with: Checksums of the files: $ shasum mantisbt* I also tried if f.e. the signature was just for mantisbt-2.24.1.tar instead of mantisbt-2.24.1.tar.gz Can someone reproduce the issue? | ||||
Tags | No tags attached. | ||||
Related gpg key issue (I can't add related issues myself): |
|
I confirm the problem with the bad signature for the tarball. Our standard release publication process relies on a script to build the zip/tarballs, then generate the corresponding ASCII-armored signature files, so I really can't explain why one of them is valid while the other is not... Very strange. Maybe @vboctor signed the release manually, or errors occured during script execution, and he failed to notice. Anyway he's the only one who can fix this. |
|
Would be great, @vboctor if you could correctly sing the file! |
|
ping. |
|