On Thursday 2021-12-23 16:03, Alexey Tikhonov wrote: -rw-r--r-- 1 jengelh users 7598580 Dec 23 15:46+0100 sssd-2.6.2.tar.gz -rw-r--r-- 1 jengelh users 833 Dec 23 15:46+0100 sssd-2.6.2.tar.gz.asc md5sum: a07f6c77fa846b910bf2d8662b010717 1.gz c883aa3c4b161595f593d88b949371b1 1.gz.asc gpg: Signature made 2021-12-23T15:33:39 CET gpg: using RSA key 1597174989DDD7EE68DACCBD75FBD239B5E3AF9B Later, build.opensuse.org rejected the submission because something sneakily changed upstream -rw-r--r-- 1 jengelh users 7598580 Dec 23 15:46+0100 sssd-2.6.2.tar.gz -rw-r--r-- 1 jengelh users 833 Dec 23 16:22+0100 sssd-2.6.2.tar.gz.asc a07f6c77fa846b910bf2d8662b010717 sssd-2.6.2.tar.gz 548cff73689925889f040f4b38e613ca sssd-2.6.2.tar.gz.asc gpg: Signature made 2021-12-23T16:21:08 CET gpg: using RSA key 930201AAB42DD1947210B7838D7326351A726211 Besides that, where can we get the GPG keys? The keyserver infrastructure is a bit in disarray (keys.openpgp.net is the only modern instance left, and it needs some extra steps from key owners) and does not seem to hold either key with a name.

On Thu, Dec 23, 2021 at 11:25 PM Jan Engelhardt <jengelh(a)inai.de&gt; wrote: My fault: once I published this release and we started Fedora rebase, we realized that I used different keys to sign 2.6.2 tag and tarball. That's why I created and uploaded a new tarball signature. This time using the same key as was used to sign the tag. is a key We used keys.gnupg.net but it seems to be broken now. keys.openpgp.net doesn't work for me either. We will discuss this topic within the maintainers team in January and will announce decisions made. Meanwhile I uploaded this key to https://keys.openpgp.org/ This is not ideal but what you can check right now: (1) if you click on a green "check" near the "2.6.2" tag label in release at GitHub, you can see: - "This tag was signed with the committer’s verified signature." - GPG key ID: 8D7326351A726211 -- this is the same key ID as you see in (updated) sssd-2.6.2.tar.gz.asc (compare last 16 chars) So, if I understand correctly, at least you can be sure tarball is signed with the same key as uploaded to github.com/alexey-tikhonov profile - member of SSSD org. (2) Not a real argument, of course, but you can check that this tarball was used for a Fedora rebase: - https://bodhi.fedoraproject.org/updates/FEDORA-2021-5558bc3b55 - https://koji.fedoraproject.org/koji/buildinfo?buildID=1869895 - https://kojipkgs.fedoraproject.org//packages/sssd/2.6.2/1.fc36/src/sssd-2... -- see content (3) you can compare sources with the 2.6.2 tag upstream. There is also `scripts/release.sh` that is used to generate tarballs, but the result might differ a bit depending on the autotools version. Sorry for the confusion I created - this was the first time I published an upstream release.