On 2016-10-01 12:05:06, SREZIC wrote:
Show quoted text> On 2016-10-01 11:54:55, ANDK wrote:
> > gpg: Signature made Sat Oct 1 17:34:31 2016 CEST
> > gpg: using RSA key BF640CDA37065F8D
> > gpg: requesting key BF640CDA37065F8D from hkp server pool.sks-
> > keyservers.net
> > gpg: Can't check signature: No public key
> > ==> BAD/TAMPERED signature detected! <==
> >
> > Signature invalid for distribution file. Please investigate.
> >
> > I'd recommend removing
> > /home/ftp/pub/PAUSE/authors/id/S/SR/SREZIC/Image-Info-1.38_50.tar.gz.
> > Some
> > error occurred while checking its signature, so it could be
> > invalid. Maybe you have configured your 'urllist' with a
> > bad
> > URL. Please check this array with 'o conf urllist' and retry.
> > Or
> > examine the distribution in a subshell. Try
> > look SREZIC/Image-Info-1.38_50.tar.gz
> > and run
> > cpansign -v
> > SREZIC/Image-Info-1.38_50.tar.gz
> > Did not pass the signature test.
> >
> >
> >
> > Is the key uploaded elsewhere?
>
> Hmmm...
>
> 16:03 cpansand@eserte (..age-Info-1.38_50-0): cpansign -v
> Executing gpg --verify --batch --no-tty --keyserver=hkp://pool.sks-
> keyservers.net:11371 --keyserver-options=auto-key-retrieve
> /tmp/jfP1MXvsHq
> gpg: Signature made Sat Oct 1 15:34:31 2016 UTC using RSA key ID
> 37065F8D
> gpg: Good signature from "Slaven Rezic <srezic@cpan.org>"
> gpg: aka "eserte@de.freebsd.org"
> gpg: aka "Slaven Rezic <slaven@rezic.de>"
> gpg: aka "Slaven Rezic <eserte@cs.tu-berlin.de>"
> gpg: aka "Slaven Rezic <eserte@users.sourceforge.net>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 37 70 2A BB A3 2C 35 A7 10 D3 40 E8 4B A1 D4
> 5E
> ==> Signature verified OK! <==
The last eight hex digits match, but what's the extra eight in your version of the key id?
gpg: using RSA key BF640CDA37065F8D
gpg: Signature made Sat Oct 1 15:34:31 2016 UTC using RSA key ID 37065F8D