Hi,
I tried to verify the DMG image of OpenSCAD 2021.01 using the associated .asc file. However, GPG says it cannot find the signing key in my keychain.
The signing key’s fingerprint is: E99C F73A 93E5 C42A D4E6 B8D8 0F30 F7BE D74A 1375
I fail to find a key with this fingerprint on keys.openpgp.org or other key servers.
The OpenSCAD download page lists this signing info:
I cannot find any key with the above Key ID or fingerprint.
I can find a key for dev@openscad.org on keys.openpgp.org, but the fingerprint is different: E2EB DADD 336F F516 ADD5 1A78 F3E1 2CCC 2216 4A0F
So I have three different key fingerprints, an .asc file that I cannot use to verify the DMG file, and a key that supposedly belongs to the OpenSCAD developers but is not used anywhere.
Can someone shed some light on this situation and help me verify that I have downloaded a binary that has not been tampered with?
Hi,
I tried to verify the DMG image of OpenSCAD 2021.01 using the associated .asc file. However, GPG says it cannot find the signing key in my keychain.
The signing key’s fingerprint is: E99C F73A 93E5 C42A D4E6 B8D8 0F30 F7BE D74A 1375
I fail to find a key with this fingerprint on keys.openpgp.org or other key servers.
The OpenSCAD download page lists this signing info:
* The OpenSCAD Developers <dev@openscad.org>
* » Key ID: **[0x8AF822A975097442](http://keys.gnupg.net/pks/lookup?search=0x8af822a975097442&fingerprint=on&op=index)**
* » Fingerprint: `B3C9 4B42 50DC 097E 9FFF 8177 8AF8 22A9 7509 7442`
I cannot find any key with the above Key ID or fingerprint.
I *can* find a key for dev@openscad.org on keys.openpgp.org, but the fingerprint is different: E2EB DADD 336F F516 ADD5 1A78 F3E1 2CCC 2216 4A0F
So I have three different key fingerprints, an .asc file that I cannot use to verify the DMG file, and a key that supposedly belongs to the OpenSCAD developers but is not used anywhere.
Can someone shed some light on this situation and help me verify that I have downloaded a binary that has not been tampered with?
