Created attachment 775763 [details] output of "gpg --check-sigs" After obtaineing the service-keys.gpg file from https://qa-reports.gentoo.org/output/service-keys.gpg I ran "gpg --check-sigs", which gave the output attached with this report. It shows that gpg: 13 good signatures gpg: 1 bad signature gpg: 12 signatures not checked due to missing keys I suspect that it is connected to this key pub rsa4096 2009-08-25 [SC] [expires: 2023-07-01] 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910 uid [ unknown] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> as this is the only place where a minus sign shows up ("sig-3" insted of "sig!3"). Another member of the #gentoo Channel confirmed this behaviour. Maybe a disclaimer should be added to https://www.gentoo.org/downloads/signatures/ What do you think? Kind regards and thank your for your time, Quarz
Release team, any ideas? -A
I just received another report of this happening with a friend while fetching keys from hkps://keys.gentoo.org. Told him it was likely something in gentoo infra screwing up, suggested --keyserver keyserver.ubuntu.com and it worked to pull valid signatures.