[squid-users] Can't verify the signature of squid-6.7.tar.gz

Amos Jeffries squid3 at treenet.co.nz
Thu Feb 8 05:58:44 UTC 2024 

On 8/02/24 02:19, Miha Miha wrote:
> Hi Francesco,
> 
> I still get an issue, although a slightly different one:
> 
> #gpg --verify squid-6.7.tar.gz.asc squid-6.7.tar.gz
> gpg: Signature made Tue 06 Feb 2024 10:51:28 PM EET using ? key ID FEF6E865
> gpg: Can't check signature: Invalid public key algorithm
> 


The error mentions algorithm, so also check the ciphers/algorithms 
supported by your GPG agent. The new key uses the EDDSA cipher instead 
of typical RSA.



> When I try to import the public keys (pgp.asc file) I see:
> 
> #gpg --import pgp.asc
> 
> ...
> gpg: key FEF6E865: no valid user IDs
> gpg: this may be caused by a missing self-signature
> ...
> 
> All the rest keys have an user and e-mail.
> 
> When I list the imported pub keys with   gpg --list-keys I see
> multiple keys, but not the FEF6E865
> 
> May be the pub key hasn't been properly imported?
> 

Please check the contents of squid-6.7.tar.gz.asc. The full key ID 
should be provided there (FEF6E865 is one of its short-forms).

If you have any doubts about the keyring (pgp.asc file), you can try to 
fetch a fresh copy of it from <http://master.squid-cache.org/pgp.asc>



FTR; this is what I get working from a clean /tmp/squid pseudo-chroot 
directory to avoid my actual trusted+known keys:

## mkdir /tmp/squid

## wget http://master.squid-cache.org/pgp.asc

## gpg --homedir /tmp/squid --import pgp.asc
gpg: WARNING: unsafe permissions on homedir '/tmp/squid'
gpg: keybox '/tmp/squid/pubring.kbx' created
gpg: key B268E706FF5CF463: 1 duplicate signature removed
gpg: key B268E706FF5CF463: 4 signatures not checked due to missing keys
gpg: /tmp/squid/trustdb.gpg: trustdb created
gpg: key B268E706FF5CF463: public key "Amos Jeffries 
<amos at treenet.co.nz>" imported
gpg: key 4250AB432402F2F8: 1 signature not checked due to a missing key
gpg: key 4250AB432402F2F8: public key "Duane Wessels 
<wessels at squid-cache.org>" imported
gpg: key E75E90C039CC33DB: 202 signatures not checked due to missing keys
gpg: key E75E90C039CC33DB: public key "Henrik Nordstrom 
<henrik at henriknordstrom.net>" imported
gpg: key 867BF9A9FBD3EB8E: 605 signatures not checked due to missing keys
gpg: key 867BF9A9FBD3EB8E: public key "Robert Collins 
<robertc at robertcollins.net>" imported
gpg: key CD6DBF8EF3B17D3E: 1 signature not checked due to a missing key
gpg: key CD6DBF8EF3B17D3E: public key "Amos Jeffries (Squid Signing Key) 
<squid3 at treenet.co.nz>" imported
gpg: key 28F85029FEF6E865: public key "Francesco Chemolli (code signing 
key) <kinkie at squid-cache.org>" imported
gpg: key 3AEBEC6EC66648FD: public key "Francesco Chemolli (kinkie) 
<kinkie at kinkie.it>" imported
gpg: Total number processed: 7
gpg:               imported: 7
gpg: no ultimately trusted keys found

## wget http://master.squid-cache.org/Versions/v6/squid-6.7.tar.gz
## wget http://master.squid-cache.org/Versions/v6/squid-6.7.tar.gz.asc

## gpg --homedir /tmp/squid --verify squid-6.7.tar.gz.asc squid-6.7.tar.gz
gpg: WARNING: unsafe permissions on homedir '/tmp/squid'
gpg: Signature made Wed 07 Feb 2024 09:51:28 NZDT
gpg:                using EDDSA key 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865
gpg: Good signature from "Francesco Chemolli (code signing key) 
<kinkie at squid-cache.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the 
owner.
Primary key fingerprint: 29B4 B1F7 CE03 D1B1 DED2  2F30 28F8 5029 FEF6 E865



HTH
Amos

More information about the squid-users mailing list