I have had this public key in my keyring for about 2 months: https://openwrt.org/docs/guide-user/security/signatures#pgp_key_for_unattended_snapshot_builds
This is the fingerprint I get from it:
pub rsa4096 2016-07-26 [SC] 54CC 7430 7A2C 6DC9 CE61 8269 CD84 BCED 6264 71F1 uid [ unknown] LEDE Build System (LEDE GnuPG key for unattended build jobs) <firstname.lastname@example.org> sub rsa4096 2016-07-26 [S]
I've used it to verify older snapshots and they have always matched the signature. Well, today i'm getting a mismatch. Assuming this is the correct key, I'm guessing there is a problem with the signature
.asc file that the build bot generates.
- Verify the signature:
$ gpg --verify sha256sums.asc sha256sums gpg: Signature made qua 02 mar 2022 01:08:32 -03 gpg: using RSA key 6D9278A33A9AB3146262DCECF93525A88B699029 gpg: BAD signature from "LEDE Build System (LEDE GnuPG key for unattended build jobs) <email@example.com>" [unknown]
Can anyone confirm?