Hello,
Thanks to jthill for highlighting the discrepancies in the key ids and to a tip I've received from someone else. I have successfully been able to verify the kernel source. Below are details of the steps I took to resolve the issues.
1. Fetch the kernel source and the corresponding signature key, in this example, I'm working with kernel version 2.6.32.48 from
http://www.kernel.org/pub/linux/kernel/v2.6/longterm/
Code:
wget http://www.kernel.org/pub/linux/kernel/v2.6/longterm/linux-2.6.32.48.tar.xz
wget http://www.kernel.org/pub/linux/kernel/v2.6/longterm/linux-2.6.32.48.tar.sign
2. Fetch "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>" Public Key from wwwkeys.pgp.net
Code:
gpg --keyserver wwwkeys.pgp.net --recv-keys 0x6092693E
3. You first need to extract the tar file "linux-2.6.32.48.tar" from the compressed archive otherwise you will encounter the problem below:
Quote:
$ gpg --verify linux-2.6.32.48.tar.sign linux-2.6.32.48.tar.xz
gpg: Signature made Sat 12 Nov 2011 07:07:53 AM CST using RSA key ID 6092693E
gpg: BAD signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"
|
Extract file:
Code:
unxz linux-2.6.32.48.tar.xz
linux-2.6.32.48.tar
4. Then verify source
Code:
gpg --verify linux-2.6.32.48.tar.sign linux-2.6.32.48.tar
gpg: Signature made Tue Nov 8 19:04:21 2011 EST using RSA key ID 6092693E
gpg: Good signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E