[CMake] GPG-Verifying the integrity of a CMake release: BAD signature from "Brad King"

Konrad Kleine konrad.wilhelm.kleine at gmail.com
Mon May 9 11:11:32 EDT 2016 

Hi,

I'm trying to verify the integrity of a CMake release using GPG. I'm
getting the error, that there's a BAD signature from "Brad King". Now I
wonder what could be the reason for this issue.

To make it easily reproducible, here's my Dockerfile, describing the
process for you to test it yourself. If you don't know docker, just run the
commands after "RUN" on a centos/RHEL machine.

FROM centos:7

RUN yum install -y gpg

# Get CMake from official website
ADD https://cmake.org/files/v3.5/cmake-3.5.2-Linux-x86_64.tar.gz /tmp
ADD https://cmake.org/files/v3.5/cmake-3.5.2-SHA-256.txt /tmp
ADD https://cmake.org/files/v3.5/cmake-3.5.2-SHA-256.txt.asc /tmp

# Install CMake to /opt/cmake*
RUN tar xzf /tmp/cmake-*.tar.gz -C /opt
RUN echo "alias cmake=/opt/cmake*/bin/cmake" > ~/.bashrc

# Import Brad King's key from public PGP/GPG server
RUN gpg --keyserver pgp.mit.edu --recv 7BFB4EDA

# Ultimately trust Brad's key (non-interactively)
# (see
http://blog.tersmitten.nl/how-to-ultimately-trust-a-public-key-non-interactively.html
)
RUN echo "$( \
    gpg --list-keys --fingerprint \
      | grep 7BFB4EDA -A 1 \
      | tail -1 \
      | tr -d '[:space:]' \
      | awk 'BEGIN { FS = "=" } ; { print $2 }' \
    ):6:" \
    | gpg --import-ownertrust;

# Verify the integrity of the downloaded cmake tarball against Brad King's
key
RUN gpg --verbose --verify /tmp/cmake*.asc /tmp/cmake*.tar.gz


Here's the output which indicates that something is wrong with the
signature:

docker build -t docker_image_centos .
Sending build context to Docker daemon 19.46 kB
Step 1 : FROM centos:7
 ---> 28e524afdd05
Step 2 : RUN yum install -y rpm-build gcc-c++ make doxygen gpg git rpmlint
 ---> Using cache
 ---> 14ac7b398da3
Step 3 : ADD https://cmake.org/files/v3.5/cmake-3.5.2-Linux-x86_64.tar.gz
/tmp
Downloading [==================================================>] 28.43
MB/28.43 MB
 ---> Using cache
 ---> 7580075ff224
Step 4 : ADD https://cmake.org/files/v3.5/cmake-3.5.2-SHA-256.txt /tmp
Downloading   1.3 kB

 ---> Using cache
 ---> 2baf274427a5
Step 5 : ADD https://cmake.org/files/v3.5/cmake-3.5.2-SHA-256.txt.asc /tmp
Downloading    819 B

 ---> Using cache
 ---> 3fe12e2bb3c9
Step 6 : RUN tar xzf /tmp/cmake-*.tar.gz -C /opt
 ---> Using cache
 ---> a045dc6c3c14
Step 7 : RUN echo "alias cmake=/opt/cmake*/bin/cmake" > ~/.bashrc
 ---> Using cache
 ---> 86072dec6ba5
Step 8 : RUN gpg --keyserver pgp.mit.edu --recv 7BFB4EDA
 ---> Running in 7becb0710a74
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during
this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: requesting key 7BFB4EDA from hkp server pgp.mit.edu
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 7BFB4EDA: public key "Brad King" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
 ---> 0f01ef261745
Removing intermediate container 7becb0710a74
Step 9 : RUN echo "$(     gpg --list-keys --fingerprint       | grep
7BFB4EDA -A 1       | tail -1       | tr -d '[:space:]'       | awk 'BEGIN
{ FS = "=" } ; { print $2 }'     ):6:"     | gpg --import-ownertrust;
 ---> Running in 74316f6291cb
gpg: inserting ownertrust of 6
 ---> b94c3ff29994
Removing intermediate container 74316f6291cb
Step 10 : RUN gpg --verbose --verify /tmp/cmake*.asc /tmp/cmake*.tar.gz
 ---> Running in 31e58a9e6637
Version: GnuPG v2
gpg: armor header:
gpg: Signature made Fri Apr 15 15:41:34 2016 UTC using RSA key ID 34921684
gpg: using subkey 34921684 instead of primary key 7BFB4EDA
gpg: using PGP trust model
gpg: checking the trustdb
gpg: 1 keys cached (24 signatures)
gpg: 1 keys processed (0 validity counts cleared)
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: BAD signature from "Brad King"
gpg: binary signature, digest algorithm SHA256
The command '/bin/sh -c gpg --verbose --verify /tmp/cmake*.asc
/tmp/cmake*.tar.gz' returned a non-zero code: 1


Am I doing something wrong? How is a release supposed to be verified using
GPG?

Thank you in advance!

Konrad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://public.kitware.com/pipermail/cmake/attachments/20160509/6682c813/attachment-0001.html>

More information about the CMake mailing list