I have had this public key in my keyring for about 2 months: https://openwrt.org/docs/guide-user/security/signatures#pgp_key_for_unattended_snapshot_builds
This is the fingerprint I get from it:
pub rsa4096 2016-07-26 [SC]
54CC 7430 7A2C 6DC9 CE61 8269 CD84 BCED 6264 71F1
uid [ unknown] LEDE Build System (LEDE GnuPG key for unattended build jobs) <lede-adm@lists.infradead.org>
sub rsa4096 2016-07-26 [S]
I've used it to verify older snapshots and they have always matched the signature. Well, today i'm getting a mismatch. Assuming this is the correct key, I'm guessing there is a problem with the signature .asc
file that the build bot generates.
To reproduce
- Download
sha256sum
andsha256sum.asc
from https://downloads.openwrt.org/snapshots/targets/ramips/mt7621/ - Verify the signature:
$ gpg --verify sha256sums.asc sha256sums
gpg: Signature made qua 02 mar 2022 01:08:32 -03
gpg: using RSA key 6D9278A33A9AB3146262DCECF93525A88B699029
gpg: BAD signature from "LEDE Build System (LEDE GnuPG key for unattended build jobs) <lede-adm@lists.infradead.org>" [unknown]
It's currently r19040-247eaa4416
.
Can anyone confirm?