We now have support for reproducible tarball dynamically via #185. But, if the GPG key is missing on the system, it will provide
an error message saying not signed with KEYID.
Receiving objects: 100% (9312/9312), 6.98 MiB | 4.09 MiB/s, done.
Resolving deltas: 100% (6892/6892), done.
Failed to verify 0.2.1, not signed with 22245C81E3BAEB4138B36061310F561200F4AD77
make: *** [Makefile:9: securedrop-client] Error 2
But, the actual error is missing key, if we see not signed, that may mean an attack of some sort :)
How to reproduce?
We now have support for reproducible tarball dynamically via #185. But, if the GPG key is missing on the system, it will provide
an error message saying
not signed with KEYID.But, the actual error is missing key, if we see not signed, that may mean an attack of some sort :)
How to reproduce?
gpg2 --delete-keys 22245C81E3BAEB4138B36061310F561200F4AD77make securedrop-client