Project

General

Profile

BAD signature on version 4.2 zip file

Added by PJ K about 10 years ago

I'm a noob going thru the process of installing Replicant for the first time. When I check the gpg key for the zip file for my Galaxy Tab 2 10.1 I get:
kanga@Trisquel-kanga:~$ gpg --armor --verify Downloads/galaxytab/replicant-4.2-p5100.zip.sig Downloads/galaxytab/replicant-4.2-p5100.zip
gpg: Signature made Tue 21 Jan 2014 00:09:00 EST using RSA key ID 4A80EB23
gpg: BAD signature from "Replicant project release key <>"

The .img and .img.sig files passed with flying colours, I think :)
kanga@Trisquel-kanga:~$ gpg --armor --verify Downloads/galaxytab/recovery.img.sig Downloads/galaxytab/recovery.img
gpg: Signature made Tue 21 Jan 2014 00:09:00 EST using RSA key ID 4A80EB23
gpg: Good signature from "Replicant project release key <>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E776 092B 052A DC91 FDD1 FD80 16D1 FEEE 4A80 EB23

You told us not to go ahead if the check fails. Obviously, the zip file failed.
I'm guessing that the warning for the .img file is because we haven't actually shared and verified each other's keys(?)

I re-downloaded the file just to check I didn't get a foul-up in the download somewhere last time.
This time I checked it with Kgpg and it tells me it's corrupted:
!!
Can you fix it please?

21.png (27.2 KB) 21.png

Replies (2)

RE: BAD signature on version 4.2 zip file - Added by Paul Kocialkowski about 10 years ago

The problem is not on our side. I double-checked the signature both on my local copy of the release files, on the hosting server and downloaded the file from OSUOSL, and it all matches both the MD5 sum and the RSA signature.

Try to find whether your ISP is known to alter the content of packets that it routes. You may also be the target of an attack that tries to inject malicious software. In any case, DO NOT INSTALL THE FILE as long as the signature doesn't match!

Ensure that you have a good level of security on your devices and prepare to defend in case you're the target of an attack.

RE: BAD signature on version 4.2 zip file - Added by PJ K about 10 years ago

Thanks Paul,
I downloaded them with a different browser. I had used Tor last time. I don't know if that mattered. Anyway, files all passed gpg now.
cheers, K

    (1-2/2)