gpg --verify
is giving me a bad signatures more often than I'd expect. Just this week, two libraries have given me "BAD signature" warnings - Libsodium and chruby. I followed all the instructions on the chruby README and yet still I get a bad signature warning.
Are there some things I should check about my installation? Any help is much appreciated.
$ gpg --version
gpg (GnuPG/MacGPG2) 2.0.17
libgcrypt 1.4.6
Mac OSX 10.6.6
$ gpg --verify libsodium-0.2.tar.gz.sig
gpg: Signature made Tue 29 Jan 05:47:53 2013 GMT using DSA key ID 1CDEA439
gpg: BAD signature from "Jedi/Sector One <[email protected]>"
The chruby problem was fixed by using a different download method, the verification failed with a cURL download but using the Github website's links the file I downloaded worked. Tried the same with libsodium and it still fails, so maybe it's just libsodium's file?
gpg
. Try again using wget:wget http://download.dnscrypt.org/libsodium/releases/libsodium-0.2.tar.gz; wget http://download.dnscrypt.org/libsodium/releases/libsodium-0.2.tar.gz.sig; gpg --verify libsodium-0.2.tar.gz.sig
. md5 hashes of these files: 621890d23a09049b6f54a720e082b642 for the tarball and 496c2f7d883b342b324b6d7da0e27681 for the signature.