4 messages in net.sourceforge.lists.courier-maildropRe: [maildropl] Bad signature for lat...
FromSent OnAttachments
Richard FeldmannAug 17, 2005 10:51 am 
Sam VarshavchikAug 18, 2005 10:59 am 
Richard FeldmannAug 18, 2005 8:57 pm 
Sam VarshavchikAug 19, 2005 3:57 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:Re: [maildropl] Bad signature for latest maildrop tar?Actions...
From:Richard Feldmann (rh@mail.oaksage.dyndns.org)
Date:Aug 18, 2005 8:57:45 pm
List:net.sourceforge.lists.courier-maildrop

cour@lists.sourceforge.net wrote:

Richard Feldmann writes:

Greetings,

I just downloaded the most recent maildrop tar file (maildrop-1.8.1.tar.bz2), along with the .sig file and the verify attempt failed, saying it is a "BAD signature." Is this the correct sig for this file? Perhaps the author should verify the sig and make a valid one available . . .

Here's the message:

gpg --verify maildrop-1.8.1.tar.bz2.sig maildrop-1.8.1.tar.bz2 gpg: Signature made Fri 13 May 2005 06:25:33 AM MDT using DSA key ID 81E550E2 gpg: BAD signature from "Sam Varshavchik <mrs@courier-mta.com>"

$ gpg maildrop-1.8.1.tar.bz2.sig gpg: Signature made Fri 13 May 2005 08:25:33 AM EDT using DSA key ID 81E550E2 gpg: Good signature from "Sam Varshavchik <mrs@courier-mta.com>" Primary key fingerprint: 7F87 3288 3015 BF63 BC71 7A5A C7DA 7719 81E5 50E2

This seems pretty odd. Here's exactly what I did and I still get the same bad verification:

wget http://prdownloads.sourceforge.net/courier/maildrop-1.8.1.tar.bz2 wget http://internap.dl.sourceforge.net/sourceforge/courier/maildrop-1.8.1.tar.bz2.sig

file maildrop-1.8.1.tar.bz2.sig maildrop-1.8.1.tar.bz2.sig: data <== seems strange

If I use wget to retrieve http://prdownloads.sourceforge.net/courier/maildrop-1.8.1.tar.bz2.sig it just retrieves an html page from sourceforge that contains no sig. So, I chose a different mirror.

gpg --list-keys --fingerprint Varshavchik pub 1024D/81E550E2 2003-04-11 Key fingerprint = 7F87 3288 3015 BF63 BC71 7A5A C7DA 7719 81E5 50E2 uid Sam Varshavchik <mrs@courier-mta.com> sub 2048g/8F7B8E00 2003-04-11

gpg --verify maildrop-1.8.1.tar.bz2.sig maildrop-1.8.1.tar.bz2.sig gpg: Signature made Fri 13 May 2005 06:25:33 AM MDT using DSA key ID 81E550E2 gpg: BAD signature from "Sam Varshavchik <mrs@courier-mta.com>"

The fingerprint matches, but I'm wondering if the sig that's available on sourceforge somehow got corrupted? I thought the sig would be in ascii armor format . . . ?

Regards, Richard