[RCU] Release signatures incorrect?

Martijn Brinkers martijn.list at gmail.com
Mon Nov 11 14:19:05 CET 2019


I downloaded the latest RC release from the provided link


I then downloaded the signature


When I try to validate the signature gpg tells me:

gpg --verify roundcubemail-1.4.0.tar.gz.asc
gpg: assuming signed data in 'roundcubemail-1.4.0.tar.gz'
gpg: Signature made za 09 nov 2019 21:30:45 CET
gpg:                using RSA key 8970E37A698AF775D87D590DC2946A9609CD56B4
gpg:                issuer "devs at roundcube.net"

This shows that the signer has the key id:


However according to the website the (short) key ID should be:


The download link for the signing key
(https://roundcube.net/download/pubkey.asc) matches the above short key id:


So either the packages have been signed with a different roundcube devs
key or the packages have been modified (or I'm doing something stupid :)

Any idea?

Kind regards,

Martijn Brinkers

More information about the users mailing list