Broken gpg signature download and no hints where to find the keys
John Arbash Meinel
john at arbash-meinel.com
Fri Aug 25 01:01:06 BST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Robert Widhopf-Fenk wrote:
> At http://bazaar-vcs.org/OfficialDownloads there is a link
> to the GPG signature, but when trying to download it with a
> simple left click in Firefox 1.5.0.6 on Debian I get the
> error:
>
> ,----
> | ... bzr-0.9.tar.gz.sig.part could not be saved, because
> | the source file could not be read. Try again later, or
> | contact the server administrator.
> `----
>
> When I say "Save link as" I do not get the error, but also no
> downloaded file.
>
> Is this a bug in FF? I have never seen that before.
>
> Others use .asc (apache) or .sign (kernel) as extension and
> I have no problem downloading them.
>
> With wget I can get it, but look at the odd mime type, seems
> like a broken mime.types on server?
Odd. Considering the default of 'gpg --detach-sign' is a .sig file.
If you do 'gpg --armor --detach-sign' then you get a .asc file, which is
a base-64 encoded version of the regular .sig. (Or something to change
it from a binary file into an ascii safe file)
I get the same complaint about 'Unable to download', though. So we
certainly need to fix it somehow. I'm including some people who might
have access to be able to change the server configuration.
...
> Hmm, a hint to the right key server would be nice, after
> trying some I started googling and found pgp.surfnet.nl
> which serves the two keys listed on the download page.
>
> No note on the download page nor Martins page in the Wiki
> which server would be right or where to find the key ...
> so the signatures are pretty useless unless you are
> pedantic.
I would assume it is on the "standard" servers of 'subkeys.pgp.net' and
'pgp.mit.edu'.
gpg --keyserver subkeys.pgp.net --recv-key A0B3E88B
Works fine for me.
It might be just that subkeys.pgp.net and pgp.mit.edu don't like to do a
"search" on the key id. They prefer it if you use '--recv-key' to
'--search-keys'.
...
>
> This took me to long so I added a hint on how to verify the sigs.
>
> And I would also recommend checking the mime type and
> removing the other key id ...
>
> Robert.
>
>
I updated your hint a bit. I think subkeys.pgp.net is a more official
location.
John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFE7j2TJdeBCYSNAAMRAojsAKCIUgdWE1lKWX4vR6XoNHLVMualnACbBzwB
tbnHqGlqcfk6IAcd67tBE8o=
=PjTU
-----END PGP SIGNATURE-----
More information about the bazaar
mailing list