[Disorderfs 0.5.9] doesn't pass signature verificatino

Daniel Shahaf danielsh at apache.org
Mon Apr 20 10:10:09 UTC 2020 

Santiago Torres-Arias wrote on Sun, 19 Apr 2020 19:23 -0400:
> Hi,
> 
> I tried to build disorderfs for Arch, and it seems to me that the tar.gz
> in [1] doesn't pass signature verification:
> 
>     [santiago at meme-cluster trunk]$ gpg --verify disorderfs-0.5.9.tar.gz disorderfs-0.5.9.tar.gz.asc 
>     gpg: Signature made Thu 16 Apr 2020 06:19:16 AM EDT
>     gpg:                using RSA key C2FE4BD271C139B86C533E461E953E27D4311E58
>     gpg: BAD signature from "Chris Lamb <chris at chris-lamb.co.uk>" [unknown]
> 
> Could we get in resigned (or verified that it's proper)?
> 

I can't find the download link for those two files, but FWIW, here's my
signature on the tarball that's in Debian unstable right now:

% apt-get source disorderfs/sid
% gpg -abo- disorderfs_0.5.9.orig.tar.gz
-----BEGIN PGP SIGNATURE-----

iQIrBAABCgAdFiEEbrYLY3zlrL8kSaLa2yfpl0Ka8gwFAl6dcScACgkQ2yfpl0Ka
8gwfaA/Asck2Ulu+Edo0fV0p4HEvwmnDlWuZGPxeeo72SF0UW7uVR59W/HmSvlJ8
XE0Y3qmVD+EIZrPEPpMeGrIeuUeUmUikHetnu1Efv3xs87zOnZKKYfQMML+T8b3I
8gdz/7Xvul5kScVlgxQ3cXTtzMLiLgqWjVszmCrJRU8Ug5qcuQ6vVAN0y4S3Rt92
oO3adxWnwDMyjWeoqbhvhTWLJl/ZX9zb+IypMDwk+Bci8nkJ8ON6aNafBxrDukp3
TzJscv55YBvK9cWnQTsiNkx4yOv7snn2gnUiw3DNy4aUL4PUOz0EZzNwqAEzsftB
8gdQdHGcA7uprniZHI4nS1XgMtxm2up4fHA83BFw37xBcIJ+/+fQn3q7ooQNsZ3v
/jE2St5tgZdBFPUgroikGjMvSiKTkiFtWvyobLPYKc1GJbRIOSlZGgEnJF7nWVuW
JE4cGMqhk6s0rZzb0TfZP94hiYKS7aNR8+mGmP6NbBiaXUJBA3RGNyszyzGc4VGc
quqOFUVLY61zpWj/l8wcta5voBDjdV/LzmI+mfMck7L6bB2D0xdez45fIwdiKHVk
+j29xzO1XX+2h35kAjIOwdVltQt27farAUPpcZClVn9dBR19mh5QSFz2vEtkMRC7
uR3GjfBz50MuUfLMXY5CxtHGNrnw8Y0EyexBRaAU
=P1Hl
-----END PGP SIGNATURE-----
% 

I only verified that that tarball is currently in Debian sid; I haven't
verified it to be benign, compared it to the git tag, or anything else.

Speaking of which:

[[[
% git clone https://salsa.debian.org/reproducible-builds/disorderfs.git
% cd disorderfs
% git remote -v
origin  git at salsa.debian.org:reproducible-builds/disorderfs.git (fetch)
origin  git at salsa.debian.org:reproducible-builds/disorderfs.git (push)
% git tag -v 0.5.9
object 8ab69faa74fe90e7335f582adc17b4c88129713a
type commit
tag 0.5.9
tagger Chris Lamb <lamby at debian.org> 1587032350 +0100

Release 0.5.9
gpg: Signature made Thu 16 Apr 2020 10:19:10 UTC
gpg:                using RSA key C2FE4BD271C139B86C533E461E953E27D4311E58
gpg: Good signature from "Chris Lamb <chris at chris-lamb.co.uk>" [marginal]
gpg:                 aka "Chris Lamb <lamby at gnu.org>" [marginal]
gpg:                 aka "Chris Lamb <lamby at debian.org>" [marginal]
⋮
]]]

HTH,

Daniel
(the URL change was by git-config(1) url.<base>.insteadOf)

More information about the rb-general mailing list