Same result seemingly regardless of plugin selections.
ls -l
total 5.1M
-rw-rw-r-- 1 user 5.1M Jun 30 15:21 caddy_v0.10.4_linux_amd64.tar.gz
-rw-rw-r-- 1 user 800 Jun 30 15:21 caddy_v0.10.4_linux_amd64.tar.gz.asc
curl https://keybase.io/caddy/pgp_keys.asc | gpg2 --import
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4701 100 4701 0 0 9437 0 --:--:-- --:--:-- --:--:-- 9439
gpg: key 155B6D79CA56EA34: public key "Caddy Web Server <contact@caddyserver.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg2 --verify caddy_v0.10.4_linux_amd64.tar.gz.asc
gpg: assuming signed data in 'caddy_v0.10.4_linux_amd64.tar.gz'
gpg: Signature made Wed 28 Jun 2017 23:43:22 BST using RSA key ID 155B6D79CA56EA34
gpg: BAD signature from "Caddy Web Server <contact@caddyserver.com>" [unknown]
That’s strange, are you sure you’ve done the import correctly? It works for me:
$ gpg --verify caddy_v0.10.4_darwin_amd64.zip.asc caddy_v0.10.4_darwin_amd64.zip
gpg: Signature made Wed Jun 28 16:44:23 2017 MDT using RSA key ID CA56EA34
gpg: Good signature from "Caddy Web Server <contact@caddyserver.com>" [ultimate]
Does the key need to be trusted before it’ll show a good signature?
Like you, I am getting a good signature with the macOS build. Do you have any luck with the Linux 64-bit build?
~/Downloads gpg2 --verify caddy_v0.10.4_darwin_amd64.zip.asc
gpg: assuming signed data in 'caddy_v0.10.4_darwin_amd64.zip'
gpg: Signature made Wed 28 Jun 2017 23:44:23 BST using RSA key ID 155B6D79CA56EA34
gpg: Good signature from "Caddy Web Server <contact@caddyserver.com>" [unknown]
$ gpg --verify caddy_v0.10.4_linux_amd64.tar.gz.asc caddy_v0.10.4_linux_amd64.tar.gz
gpg: Signature made Wed Jun 28 16:43:22 2017 MDT using RSA key ID CA56EA34
gpg: Good signature from "Caddy Web Server <contact@caddyserver.com>" [ultimate]
Try re-downloading it? Maybe your download was corrupted.