Broken gpg signature download and no hints where to find the keys

Robert Widhopf-Fenk hack at robf.de
Thu Aug 24 23:33:33 BST 2006 

At http://bazaar-vcs.org/OfficialDownloads there is a link
to the GPG signature, but when trying to download it with a
simple left click in Firefox 1.5.0.6 on Debian I get the
error: 

,----
| ... bzr-0.9.tar.gz.sig.part could not be saved, because
| the source file could not be read.  Try again later, or
| contact the server administrator.
`----

When I say "Save link as" I do not get the error, but also no
downloaded file.

Is this a bug in FF?  I have never seen that before.

Others use .asc (apache) or .sign (kernel) as extension and
I have no problem downloading them.  

With wget I can get it, but look at the odd mime type, seems
like a broken mime.types on server?

,----
| ~/download > wget -d http://bazaar-vcs.org/pkg/bzr-0.8.1.tar.gz.sig
| DEBUG output created by Wget 1.10.2 on linux-gnu.
| 
| --00:30:30--  http://bazaar-vcs.org/pkg/bzr-0.8.1.tar.gz.sig
|            => `bzr-0.8.1.tar.gz.sig.1'
| Resolving bazaar-vcs.org... 82.211.81.161
| Caching bazaar-vcs.org => 82.211.81.161
| Connecting to bazaar-vcs.org|82.211.81.161|:80... connected.
| Created socket 3.
| Releasing 0x0808d530 (new refcount 1).
| 
| ---request begin---
| GET /pkg/bzr-0.8.1.tar.gz.sig HTTP/1.0
| User-Agent: Wget/1.10.2
| Accept: */*
| Host: bazaar-vcs.org
| Connection: Keep-Alive
| 
| ---request end---
| HTTP request sent, awaiting response...
| ---response begin---
| HTTP/1.1 200 OK
| Date: Thu, 24 Aug 2006 22:30:31 GMT
| Server: Apache/2.0.55 (Ubuntu) PHP/4.4.2-1build1 mod_ssl/2.0.55 OpenSSL/0.9.8a
| Last-Modified: Wed, 17 May 2006 02:44:47 GMT
| ETag: "5b9e7f-41-e71885c0"
| Accept-Ranges: bytes
| Content-Length: 65
| Keep-Alive: timeout=15, max=100
| Connection: Keep-Alive
| Content-Type: application/x-tar
| Content-Encoding: x-gzip
| 
| ---response end---
| 200 OK
| Registered socket 3 for persistent reuse.
| Length: 65 [application/x-tar]
| 
| 100%[====================================>] 65            --.--K/s
| 
| 00:30:30 (3.65 MB/s) - `bzr-0.8.1.tar.gz.sig.1' saved [65/65]
`----

O.k. let's verify:

,----
| ~/download > gpg --verify bzr-0.9.tar.gz.sig bzr-0.9.tar.gz
| gpg: Signature made Fri Aug 11 12:37:13 2006 CEST using DSA key ID A0B3E88B
| gpg: Can't check signature: public key not found
`----

Hmm, a hint to the right key server would be nice, after
trying some I started googling and found pgp.surfnet.nl
which serves the two keys listed on the download page.

No note on the download page nor Martins page in the Wiki
which server would be right or where to find the key ...  
so the signatures are pretty useless unless you are
pedantic. 

,----
| ~/download > gpg --keyserver pgp.surfnet.nl --search-keys 0xA0B3E88B
| gpg: searching for "0xA0B3E88B" from hkp server pgp.surfnet.nl
| (1)     Martin Pool <mbp at hp.com>
|         Martin Pool <mbp at samba.org>
|         Martin Pool <mbp at valinux.com>
|         Martin Pool <mbp at canonical.com>
|         Martin Pool <mbp at humbug.org.au>
|         Martin Pool <mbp at sourcefrog.net>
|         Martin Pool <mbp at linuxcare.com.au>
|         Martin Pool <martin.pool at canonical.com>
|         Martin Pool <mbp at users.sourceforge.net>
|         Martin Pool (2000-2001) <mbp at humbug.org.au>
|         Martin Pool (2000-2001) <mbp at linuxcare.com.au>
|         Martin Pool (2000-2001) <mbp at users.sourceforge.net>
|           1024 bit DSA key A0B3E88B, created: 2000-07-24
| Keys 1-1 of 1 for "0xA0B3E88B".  Enter number(s), N)ext, or Q)uit > 1
| gpg: requesting key A0B3E88B from hkp server pgp.surfnet.nl
| gpg: key A0B3E88B: "Martin Pool <mbp at sourcefrog.net>" not changed
| gpg: Total number processed: 1
| gpg:              unchanged: 1
`----

And the second one.

,----
| ~/download > gpg --keyserver pgp.surfnet.nl --search-keys 0x218D18D7
| gpg: searching for "0x218D18D7" from hkp server pgp.surfnet.nl
| (1)     Robert Schiele <rschiele at gmail.com>
|         Robert Schiele <rschiele at iname.com>
|         Robert Schiele <rschiele at uni-mannheim.de>
|         Robert Schiele <rschiele at rumms.uni-mannheim.de>
|         Robert Schiele <rschiele at informatik.uni-mannheim.de>
|         Robert Schiele <wi00949 at wipool.wifo.uni-mannheim.de>
|         Robert Schiele <pi291 at pips01.informatik.uni-mannheim.de>
|         Robert Schiele <rschiele at pips01.informatik.uni-mannheim.de>
|           1024 bit DSA key 218D18D7, created: 1998-04-05
| Keys 1-1 of 1 for "0x218D18D7".  Enter number(s), N)ext, or Q)uit >         
`----

Is this really a key Martin Pool uses to sign tar balls?

Is Robert Schiele the alter ego of Martin?

IMHO it should be removed from the download page.

But let's check the signature again.

,----
| ~/download > gpg --verify bzr-0.8.1.tar.gz.sig bzr-0.8.1.tar.gz
| gpg: Signature made Wed May 17 04:44:47 2006 CEST using DSA key ID A0B3E88B
| gpg: Good signature from "Martin Pool <mbp at sourcefrog.net>"
| gpg:                 aka "Martin Pool <mbp at samba.org>"
| gpg:                 aka "Martin Pool <mbp at canonical.com>"
| gpg:                 aka "Martin Pool <martin.pool at canonical.com>"
| gpg:                 aka "Martin Pool <mbp at users.sourceforge.net>"
| gpg: WARNING: This key is not certified with a trusted signature!
| gpg:          There is no indication that the signature belongs to the owner.
| Primary key fingerprint: AFAC 578F 1841 EE6B FD95  E143 3C63 CA3F A0B3 E88B
`----

Haha!

This took me to long so I added a hint on how to verify the sigs.

And I would also recommend checking the mime type and
removing the other key id ...

Robert.

More information about the bazaar mailing list