Bad OpenPGP signature from snapshot build

I have had this public key in my keyring for about 2 months: https://openwrt.org/docs/guide-user/security/signatures#pgp_key_for_unattended_snapshot_builds

This is the fingerprint I get from it:

pub   rsa4096 2016-07-26 [SC]
      54CC 7430 7A2C 6DC9 CE61  8269 CD84 BCED 6264 71F1
uid           [ unknown] LEDE Build System (LEDE GnuPG key for unattended build jobs) <lede-adm@lists.infradead.org>
sub   rsa4096 2016-07-26 [S]

I've used it to verify older snapshots and they have always matched the signature. Well, today i'm getting a mismatch. Assuming this is the correct key, I'm guessing there is a problem with the signature .asc file that the build bot generates.

To reproduce

  1. Download sha256sum and sha256sum.asc from https://downloads.openwrt.org/snapshots/targets/ramips/mt7621/
  2. Verify the signature:
$ gpg --verify sha256sums.asc sha256sums

gpg: Signature made qua 02 mar 2022 01:08:32 -03
gpg:                using RSA key 6D9278A33A9AB3146262DCECF93525A88B699029
gpg: BAD signature from "LEDE Build System (LEDE GnuPG key for unattended build jobs) <lede-adm@lists.infradead.org>" [unknown]

It's currently r19040-247eaa4416.

Can anyone confirm?

  • Did you notoce the dates are different?
  • Did you notice one says LEDE and not OpenWrt (i.e. probally quite old)?