Re: [SECURITY] [DSA 411-1] New mpg321 packages fix ... - PGP key? [solved]

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 411-1] New mpg321 packages fix ... - PGP key? [solved]
From: "s. keeling" <keeling@spots.ab.ca>
Date: Tue, 6 Jan 2004 00:26:17 -0700
Message-id: <[🔎] 20040106072617.GA26317@infidel.spots.ab.ca>
Mail-followup-to: debian-security@lists.debian.org
Reply-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 200401060712.43288.zsol@zsol.bounceme.net>
References: <20040106025204.GP28393@alcor.net> <[🔎] 20040106053749.GE23284@infidel.spots.ab.ca> <[🔎] 200401060712.43288.zsol@zsol.bounceme.net>

Incoming from ZsoL:
> Hash: SHA1
> 
> On Tuesday 06 January 2004 06.37, s. keeling wrote:
> > Incoming from Matt Zimmerman:
> > > Debian Security Advisory DSA 411-1                    
> > > security@debian.org http://www.debian.org/security/                      
> > >       Matt Zimmerman January 5th, 2004                      
> > > http://www.debian.org/security/faq
> > >
> > > Package        : mpg321
> >
> > Were any of you able to verify the PGP signatures on the latest
> > debian-security-announce messages?  I can't:
> >
> >   [-- PGP output follows (current time: Mon 05 Jan 2004 10:30:43 PM MST)
> > 43E25D1E gpg: Can't check signature: public key not found
> >   [-- End of PGP output --]
> >
> maybe you have to import mdz@debian.org's public key.

I've tried.  GPA import key fails quietly.  So I used w3m to go to the
URL he supplied:

   (2) keeling /home/keeling/dox_ gpg --verify matt_zimmerman.txt 
   gpg: verify signatures failed: unexpected data
   (2) keeling /home/keeling/dox_ gpg --verify < matt_zimmerman.txt 
   gpg: verify signatures failed: unexpected data

So, I tried wget:

   (0) keeling /home/keeling/dox_ gpg --verify lookup\?op\=get\&search\=0x440202C3137B1CB4 
   gpg: verify signatures failed: unexpected data
   (2) keeling /home/keeling/dox_ gpg --verify < lookup\?op\=get\&search\=0x440202C3137B1CB4 
   gpg: verify signatures failed: unexpected data

So, I "C"opied the mail to a file, then:

   (0) keeling /home/keeling/dox_ gpg --verify-files matt_zimmerman.msg     
   gpg: Signature made Mon 05 Jan 2004 07:51:35 PM MST using DSA key ID 43E25D1E
   gpg: Can't check signature: public key not found

Then I tried --import:

   (2) keeling /home/keeling/dox_ gpg --import matt_zimmerman.msg
   gpg: no valid OpenPGP data found.
   gpg: Total number processed: 0

Ah!  Finally:

   (2) keeling /home/keeling/dox_ gpg --recv-keys 43E25D1E       
   gpg: key 43E25D1E: removed multiple subkey binding
   gpg: key 43E25D1E: public key "Matt Zimmerman <mdz@debian.org>" imported
   gpg: Total number processed: 1
   gpg:               imported: 1

Now why was that so difficult?!?  Every other time just reading mail
from someone grabs their key from the keyserver and checks the signature.


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)               http://www.spots.ab.ca/~keeling 
- -

Reply to:

References:
- Re: [SECURITY] [DSA 411-1] New mpg321 packages fix format string vulnerability - PGP key?
  - From: "s. keeling" <keeling@spots.ab.ca>
- Re: [SECURITY] [DSA 411-1] New mpg321 packages fix format string vulnerability - PGP key?
  - From: ZsoL <zsol@zsol.bounceme.net>

Prev by Date: Re: [SECURITY] [DSA 411-1] New mpg321 packages fix format string vulnerability - PGP key?
Next by Date: Re: [SECURITY] [DSA 411-1] New mpg321 packages fix format string vulnerability - PGP key?
Previous by thread: Re: [SECURITY] [DSA 411-1] New mpg321 packages fix format string vulnerability - PGP key?
Next by thread: Re: [SECURITY] [DSA 411-1] New mpg321 packages fix format string vulnerability - PGP key?
Index(es):
- Date
- Thread