Bad archive signatures

anon12668908 · June 30, 2017, 2:30pm

Trying to verify caddy archive download as per /mholt/caddy/wiki/Verifying-Archive-Signatures. GPG reports bad signature.

Same result seemingly regardless of plugin selections.

ls -l
total 5.1M
-rw-rw-r-- 1 user 5.1M Jun 30 15:21 caddy_v0.10.4_linux_amd64.tar.gz
-rw-rw-r-- 1 user  800 Jun 30 15:21 caddy_v0.10.4_linux_amd64.tar.gz.asc

curl https://keybase.io/caddy/pgp_keys.asc | gpg2 --import
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4701  100  4701    0     0   9437      0 --:--:-- --:--:-- --:--:--  9439
gpg: key 155B6D79CA56EA34: public key "Caddy Web Server <contact@caddyserver.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

gpg2 --verify caddy_v0.10.4_linux_amd64.tar.gz.asc
gpg: assuming signed data in 'caddy_v0.10.4_linux_amd64.tar.gz'
gpg: Signature made Wed 28 Jun 2017 23:43:22 BST using RSA key ID 155B6D79CA56EA34
gpg: BAD signature from "Caddy Web Server <contact@caddyserver.com>" [unknown]

matt · June 30, 2017, 2:49pm

That’s strange, are you sure you’ve done the import correctly? It works for me:

$ gpg --verify caddy_v0.10.4_darwin_amd64.zip.asc caddy_v0.10.4_darwin_amd64.zip
gpg: Signature made Wed Jun 28 16:44:23 2017 MDT using RSA key ID CA56EA34
gpg: Good signature from "Caddy Web Server <contact@caddyserver.com>" [ultimate]

Does the key need to be trusted before it’ll show a good signature?

anon12668908 · June 30, 2017, 3:27pm

Like you, I am getting a good signature with the macOS build. Do you have any luck with the Linux 64-bit build?

~/Downloads gpg2 --verify caddy_v0.10.4_darwin_amd64.zip.asc 
gpg: assuming signed data in 'caddy_v0.10.4_darwin_amd64.zip'
gpg: Signature made Wed 28 Jun 2017 23:44:23 BST using RSA key ID 155B6D79CA56EA34
gpg: Good signature from "Caddy Web Server <contact@caddyserver.com>" [unknown]

matt · June 30, 2017, 3:43pm

Yup, Linux is good for me:

$ gpg --verify caddy_v0.10.4_linux_amd64.tar.gz.asc caddy_v0.10.4_linux_amd64.tar.gz
gpg: Signature made Wed Jun 28 16:43:22 2017 MDT using RSA key ID CA56EA34
gpg: Good signature from "Caddy Web Server <contact@caddyserver.com>" [ultimate]

Try re-downloading it? Maybe your download was corrupted.

anon12668908 · June 30, 2017, 3:57pm

File corruption it is! Looks like Firefox was meddling with file when it downloaded it.

Downloaded via wget and Chrome and both were good.

Cheers for the help.

system · September 28, 2017, 3:57pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.