1

I pulled this repo: https://github.com/monero-project/gitian.sigs

Using GPG 2.2.17 on windows 7 x64.

Imported contributors' pub keys by python verify-merge.py -i with no problems and gpg --list-keys shows it's okay.

When I try to check signature manually it fails:

C:\monero\monero-gitian\v0.15.0.1-win\dikdust>gpg --verify monero-win-0.15-build.assert.sig
gpg: assuming signed data in 'monero-win-0.15-build.assert'
gpg: Signature made 11/24/19 21:06:59 UTC
gpg:                using RSA key 7A499ECDBF8A30A8B3B8A190144D6E86DA9446B8
gpg: BAD signature from "Antonio Alessio "dikdust" Di Pinto <dikdust@gmail.com>" [unknown]

C:\monero\monero-gitian\v0.15.0.0-win\hyc>gpg --verify monero-win-0.15-build.assert.sig
gpg: assuming signed data in 'monero-win-0.15-build.assert'
gpg: Signature made 11/11/19 00:30:50 UTC
gpg:                using DSA key 9404619A9BA7CB5F799E0EA1FD2A70B44AB11BA7
gpg: BAD signature from "Howard Chu <hyc@symas.com>" [unknown]

Obviously, python verify-merge.py fails to check the signatures.

What is wrong?

finnan
  • 141
  • 5

1 Answers1

3

I found out that the problem was in line endings. On Windows it's defaulted to CRLF of course with core.autocrlf set to true.

If I manually change line endings to Unix-style LF all checks pass okay:

C:\monero\monero-gitian\v0.15.0.1-win\dikdust>gpg --verify monero-win-0.15-build.assert.sig
gpg: assuming signed data in 'monero-win-0.15-build.assert'
gpg: Signature made 11/24/19 21:06:59 UTC
gpg:                using RSA key 7A499ECDBF8A30A8B3B8A190144D6E86DA9446B8
gpg: Good signature from "Antonio Alessio "dikdust" Di Pinto <dikdust@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7A49 9ECD BF8A 30A8 B3B8  A190 144D 6E86 DA94 46B8

My suggestion: *.assert files should be considered as binary.

finnan
  • 141
  • 5