Sorry, it was the last option "I'm doing something stupid" :)
The package was signed with a sub key which I missed.
Kind regards,
Martijn Brinkers
On 11-11-19 14:19, Martijn Brinkers wrote:
Hi,
I downloaded the latest RC release from the provided link
https://github.com/roundcube/roundcubemail/releases/download/1.4.0/roundcube...
I then downloaded the signature
https://github.com/roundcube/roundcubemail/releases/download/1.4.0/roundcube...
When I try to validate the signature gpg tells me:
gpg --verify roundcubemail-1.4.0.tar.gz.asc gpg: assuming signed data in 'roundcubemail-1.4.0.tar.gz' gpg: Signature made za 09 nov 2019 21:30:45 CET gpg: using RSA key 8970E37A698AF775D87D590DC2946A9609CD56B4 gpg: issuer "devs@roundcube.net"
This shows that the signer has the key id:
8970E37A698AF775D87D590DC2946A9609CD56B4
However according to the website the (short) key ID should be:
41C4F7D5
The download link for the signing key (https://roundcube.net/download/pubkey.asc) matches the above short key id:
F3E4C04BB3DB5D4215C45F7F5AB2BAA141C4F7D5
So either the packages have been signed with a different roundcube devs key or the packages have been modified (or I'm doing something stupid :)
Any idea?
Kind regards,
Martijn Brinkers