X Tutup
The Wayback Machine - https://web.archive.org/web/20201023140634/https://github.com/nodejs/node/issues/35706
Skip to content

/ node

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gpg: BAD signature when verifying SHASUMS256.txt.sig on v12.19.0 #35706

Open
masterzu opened this issue Oct 19, 2020 · 1 comment
Open

gpg: BAD signature when verifying SHASUMS256.txt.sig on v12.19.0 #35706

masterzu opened this issue Oct 19, 2020 · 1 comment
Labels
install

Comments

@masterzu
Copy link

@masterzu masterzu commented Oct 19, 2020

  • Version: v12.19.0
  • Platform: linux
  • Subsystem:

What steps will reproduce the bug?

wget https://nodejs.org/dist/v12.19.0/node-v12.19.0-linux-x64.tar.xz https://nodejs.org/dist/v12.19.0/SHASUMS256.txt.asc https://nodejs.org/dist/v12.19.0/SHASUMS256.txt.sig

grep node-v12.19.0-linux-x64.tar.xz SHASUMS256.txt.asc | sha256sum -c -
node-v12.19.0-linux-x64.tar.xz: OK

gpg --keyserver pool.sks-keyservers.net --recv-keys B9E2F5981AA6E0CD28160D9FF13993A75599653C
gpg: key F13993A75599653C: 1 signature not checked due to a missing key
gpg: key F13993A75599653C: public key "Shelley Vohr (security is major key) shelley.vohr@gmail.com" imported
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 4 signed: 3 trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: depth: 1 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 3f, 0u
gpg: Total number processed: 1
gpg: imported: 1

gpg --verify SHASUMS256.txt.sig SHASUMS256.txt.asc
gpg: Signature made Tue 06 Oct 2020 10:35:23 PM CEST
gpg: using RSA key B9E2F5981AA6E0CD28160D9FF13993A75599653C
gpg: BAD signature from "Shelley Vohr (security is major key) shelley.vohr@gmail.com" [unknown]
@masterzu masterzu changed the title gpg: BAD signature when verifying SHASUMS256.txt.sig gpg: BAD signature when verifying SHASUMS256.txt.sig on v12.19.0 Oct 19, 2020
@PoojaDurgad PoojaDurgad added the install label Oct 19, 2020
@richardlau
Copy link
Member

@richardlau richardlau commented Oct 19, 2020

@masterzu SHASUMS256.txt.sig is the detached signature for SHASUMS256.txt (the file without the .asc extension), e.g. it is is meant to be used (as documented in the README):

gpg --verify SHASUMS256.txt.sig SHASUMS256.txt

The SHASUMS256.txt.asc file is a clearsigned file (if you look at the file contents you'll see the appended signature at the end:

-----BEGIN PGP SIGNATURE-----
...
-----END PGP SIGNATURE-----

). It's a modified version of SHASUMS256.txt (the original contents plus the signature) and therefore won't verify with the detached signature file. Instead this file can be verified:

gpg --verify SHASUMS256.txt.asc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
install
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
@masterzu @richardlau @PoojaDurgad
You can’t perform that action at this time.
X Tutup