[LLVMbugs] [Bug 10294] New: Release tarballs are signed with a key that is nowhere to be found

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Thu Jul 7 05:17:15 PDT 2011


           Summary: Release tarballs are signed with a key that is nowhere
                    to be found
           Product: Website
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: General Website
        AssignedTo: unassignedbugs at nondot.org
        ReportedBy: sliedes at cc.hut.fi
                CC: llvmbugs at cs.uiuc.edu

To reproduce:

1. Download http://llvm.org/releases/2.9/llvm-2.9.tgz
2. Download http://llvm.org/releases/2.9/llvm-2.9.tgz.sig
3. Run gpg --verify llvm-2.9.tgz.sig
[gpg indicates key E95C63DC is unknown]
4. Run gpg --recv-key E95C63DC
[gpg indicates the key cannot be found on the public keyserver]
5. Google for E95C63DC
[cannot find the key with Google either]

Actual result:

The key used to sign llvm-2.9.tgz is nowhere to be found. Hence the signature
cannot be verified. Hence the .sig files are rather useless.

Expected result:

The key should be available on the public keyservers and/or on the LLVM

Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list