lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 5 Aug 2020 18:36:08 -0700
From:   Randy Dunlap <>
To:     David Niklas <>,
        Greg Kroah-Hartman <>
Cc:     LKML <>
Subject: Re: Is anyone else getting a bad signature from's 5.8
 sources+Greg's sign?

On 8/5/20 5:59 PM, David Niklas wrote:
> Hello,
> I downloaded the kernel sources from using curl, then
> opera, and finally lynx (to rule out an html parsing bug). I did the same
> with the sign and I keep getting:
> %  gpg2 --verify linux-5.8.tar.sign linux-5.8.tar.xz
> gpg: Signature made Mon Aug  3 00:19:13 2020 EDT
> gpg:                using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
> gpg: BAD signature from "Greg Kroah-Hartman
> <>" [unknown]
> I did refresh all the keys just in case.
> I believe this is important so I'm addressing this to the signer and only
> CC'ing the list.
> If I'm made some simple mistake, feel free to send SIG666 to my terminal.
> I did re-read the man page just in case.

It works successfully for me.


If you get "BAD signature"

If at any time you see "BAD signature" output from "gpg2 --verify", please first check the following first:

    Make sure that you are verifying the signature against the .tar version of the archive, not the compressed (.tar.xz) version.
    Make sure the the downloaded file is correct and not truncated or otherwise corrupted.

If you repeatedly get the same "BAD signature" output, please email, so we can investigate the problem.


Powered by blists - more mailing lists