Author Topic: Litecoin 0.10.4.0 release: GPG signature verification failure  (Read 1321 times)

Offline ottodv

  • Newbie
  • *
  • Posts: 5
Litecoin 0.10.4.0 release: GPG signature verification failure
« on: January 03, 2016, 12:00:54 PM »
Trying to verify the signature for the Linux release:

Code: [Select]
$ gpg --verify litecoin-0.10.4.0-linux-signatures.asc
gpg: invalid armor header: Hash SHA256\r\n
gpg: invalid armor header: Version GnuPG v2\r\n

Signature for the windows release works fine though:

Code: [Select]
$ gpg --verify litecoin-0.10.4.0-win-signatures.asc
gpg: Signature made Sat 02 Jan 2016 01:31:22 AM CET using RSA key ID 7809386C
gpg: Good signature from "Adrian Gallagher <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 59CA F0E9 6F23 F537 4794  5FD4 FE33 4887 7809 386C

Tried to manually add colons after Hash and Version, but that didn't solve it and caused other errors.

Offline crazik

  • Administrator
  • Sr. Member
  • *****
  • Posts: 606
    • great humour zone
Re: Litecoin 0.10.4.0 release: GPG signature verification failure
« Reply #1 on: January 03, 2016, 05:41:39 PM »
looks like you have problem with windows/unix newline signs.
Please try dos2unix on PGP files.

Offline thrasher

  • Litecoin Dev Team
  • Jr. Member
  • **
  • Posts: 28
Re: Litecoin 0.10.4.0 release: GPG signature verification failure
« Reply #2 on: January 04, 2016, 08:42:20 PM »
Trying to verify the signature for the Linux release:

Code: [Select]
$ gpg --verify litecoin-0.10.4.0-linux-signatures.asc
gpg: invalid armor header: Hash SHA256\r\n
gpg: invalid armor header: Version GnuPG v2\r\n

Signature for the windows release works fine though:

Code: [Select]
$ gpg --verify litecoin-0.10.4.0-win-signatures.asc
gpg: Signature made Sat 02 Jan 2016 01:31:22 AM CET using RSA key ID 7809386C
gpg: Good signature from "Adrian Gallagher <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 59CA F0E9 6F23 F537 4794  5FD4 FE33 4887 7809 386C

Tried to manually add colons after Hash and Version, but that didn't solve it and caused other errors.

The litecoin-0.10.4.0-linux-signatures.asc file contains sha256 hashes of all the Linux tarballs, however if you're after the individual .asc file for a particular tarball you can find them here:

https://download.litecoin.org/litecoin-0.10.4.0/linux/

Offline ottodv

  • Newbie
  • *
  • Posts: 5
Re: Litecoin 0.10.4.0 release: GPG signature verification failure
« Reply #3 on: January 04, 2016, 11:54:21 PM »
Yeah, that one works:

Code: [Select]
$ gpg --verify litecoin-0.10.4.0-linux64.tar.gz.asc
gpg: assuming signed data in `litecoin-0.10.4.0-linux64.tar.gz'
gpg: Signature made Sat 02 Jan 2016 01:22:51 AM CET using RSA key ID 7809386C
gpg: Good signature from "Adrian Gallagher <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 59CA F0E9 6F23 F537 4794  5FD4 FE33 4887 7809 386C

Nevertheless I suggest you check litecoin-0.10.4.0-linux-signatures.asc, for one it seems to me there should be colons after "Hash" and "Version":

Code: [Select]
-----BEGIN PGP SIGNED MESSAGE-----
Hash SHA256

af9740393a35103ca3e5256bae082975894fa12f0d416438f73d2b8f1372aed2 litecoin-0.10.4.0-linux32.tar.gz
2d98c30ab2ab1c1846fe59f162c297485a81f94e87ae43d60582c6559a3d4e60 litecoin-0.10.4.0-linux64.tar.gz
-----BEGIN PGP SIGNATURE-----
Version GnuPG v2

iQEcBAEBCAAGBQJWhxrAAAoJEP4zSId4CThsJYgHRzgvJ9lAzBpSHnJkveiOs83
s2Jn+6rf9xwQcGZdDQBlHB5SqfgtqBBa8USXhayqLnSicp88UKdEIg8UbuYiBZme
d4zHbzzU9M0i5mRDJOnKw6ON5r4sFlTYKsQjCQTIqJhGfCcPM3YSYkYkt7rIe6bJ
QPYYceMaKiOkQUMDl5mmDj1nLaYCLsDfMphAn3NC4cKLY1DLyp7kmv6ofmFbKaw
DwWDDI+1JTbAKHy3NHBnkr1zm5YZIpdB456I8H9WL7awVMn79wKwvYKDA5dA8kg
lkbWU1pmkPGbvEEgj2+rrepc+S1VnOuCxOQSe7GvaXdC8YDXlsS7k2LiWOQihGc=
=Vj9
-----END PGP SIGNATURE-----

Offline totedati

  • Newbie
  • *
  • Posts: 1
Re: Litecoin 0.10.4.0 release: GPG signature verification failure
« Reply #4 on: January 19, 2016, 11:36:27 PM »
looks like you have problem with windows/unix newline signs.
Please try dos2unix on PGP files.

true, is the incorrect Hash SHA256 and Version GnuPG v2 lines at who bark the gpg. But using dos2unix will modify the signed file integrity and you will got another gpg error gpg: abnormal CRC

for example README-HOWTO-GPG-VERIFY-TEAM-MEMBERS-KEY.txt has the proper Hash: SHA256 and Version: GnuPG v2 lines but you will got another error:

Code: [Select]
gpg --verbose --verify README-HOWTO-GPG-VERIFY-TEAM-MEMBERS-KEY.txt
gpg: header armură: Hash: SHA256
gpg: header armură: Version: GnuPG v2
gpg: nume fișier original=''
gpg: Semnătură făcută Vi 19 iun 2015 08:46:20 +0300 EEST folosind cheia RSA cu ID 7809386C
gpg: folosesc model de încredere PGP
gpg: Semnătură INCORECTĂ din "Adrian Gallagher <[email protected]>"
gpg: semnătură modtext, algoritm rezumat SHA256

very likely because in it was slipping a final unsigned edit ... duh!  :-*

so, please please please give to us proper bits to crunch not what look like rush to go releases! We, the people, want proper signatures dammit!

Also i can confirm, litecoin-0.10.4.0-linux64.tar.gz.asc is ok