CPAN Signatures and GnuPG
by Simon at 16:50 22/03/06 (Forum::Technical Advice::General)
While attempting to upgrade Bundle::CPAN on an old RedHat 7.1 box I found I was having trouble validating the SIGNATURE files against pgp.mit.edu.

Investigation revealed that the version of gnupg I had installed (gnupg-1.0.4-11) was failing due to its apparent omission to prefix HEX key ids with '0x'. I can only guess that the interface at pgp.mit.edu has changed at some point.

The error messages I was getting were like this:

gpg: requesting key A317C15D from x-hkp://pgp.mit.edu:11371 ...
gpg: can't get key from keyserver: No such file or directory
gpg: Can't check signature: public key not found
==> BAD/TAMPERED signature detected! <==

The earliest version of GnuPG that I could find that fixed the problem (and didn't have a dependency on libc.so.6) was ftp://rpmfind.net/linux/redhat/7.3/en/os/i386/RedHat/RPMS/gnupg-1.0.6-5.i386.rpm

Posted here to aid anyone else who may come across a similar issue in the future, as my own Googling didn't turn anything useful up.

-- simon
<< OK I give up Guy Kewney and his interview >>
Powered by
Powered by Novacaster