Hello Michael, On Fri, May 23, 2014 at 06:46:21PM +0200, Michael Schroeder wrote:
On Fri, May 23, 2014 at 06:31:01PM +0200, Benedikt Wildenhain wrote:
I am using the Debian-packages build for ownCloud, which are available at http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/.
They are only self-signed
A signature can't be self-signed, so are you talking about the "Release.key" pubkey file that is also in the repository? Yes, exactly.
(besides an signature by 6B9D6523, openSUSE Build Service <buildservice@opensuse.org>, which expired in 2008)
We don't put an expiry date in the openSUSE Build Service signature, so are you talking about the openSUSE Build Service pubkey? If yes, where did you get it from? I used hkp://keys.gnupg.net (the same key is also available via http://keys.gnupg.net/pks/lookup?op=get&search=0x3B3011B76B9D6523 )
$ LANG=C gpg --recv-keys 6B9D6523 gpg: requesting key 6B9D6523 from hkp server keys.gnupg.net gpg: key 6B9D6523: "openSUSE Build Service <buildservice@opensuse.org>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 $ LANG=C gpg --list-sigs 6B9D6523 pub 1024D/6B9D6523 2006-05-24 [expired: 2008-05-23] uid openSUSE Build Service <buildservice@opensuse.org> sig 3 6B9D6523 2006-05-24 openSUSE Build Service <buildservice@opensuse.org>
The pubkey are signed by the openSUSE Build Service key, right? Yes, but at least those I downloaded using the command above wasn't signed by anyone, so I cannot find a signature path to someone, with whom I exchanged keys with before.
Regards, Benedikt Wildenhain