Gavin signs the package that is uploaded, but the reports of the built itself, and signatures of that are uploaded
here.
Thanks ... what does this mean ?
$ gpg --verify bitcoin-build.assert.sig
gpg: Signature made Wed 19 Sep 2012 03:36:41 AM NZST using RSA key ID 2346C9A6
gpg: BAD signature from "Wladimir J. van der Laan <laanwj@gmail.com>"
$ gpg --verify bitcoin-build.assert.sig
gpg: Signature made Tue 18 Sep 2012 11:13:44 AM NZST using RSA key ID C87992E0
gpg: BAD signature from "Pieter Wuille (Dept. of Computer Science, KULeuven) <pieter.wuille@cs.kuleuven.be>"
TheBlueMatt doesn't have a PGP signing key advertised anywhere prominently that I could see so didn't test that one ....
(I downloaded the bitcoin-build.assert files from github and imported gpg keys of you guys from key server, and directly from linked bitcoin front page)
Is there a special method needed to download/verify these bitcoin-build.assert files or should straight gpg work?
EDIT: okay I was able to get some good signatures ... if anybody else is wondering you need to download both .sig and bitcoin-build.assert files as raw (right click Save As on Raw button) , it seems git must add something even when you use "wget" ... maybe needs a binary ftp or ... ?
Will look like this
$ gpg --verify bitcoin-build.assert.sig
gpg: Signature made Tue 18 Sep 2012 11:13:44 AM NZST using RSA key ID C87992E0
gpg: Good signature from "Pieter Wuille (Dept. of Computer Science, KULeuven) <pieter.wuille@cs.kuleuven.be>"
gpg: aka "Pieter Wuille (Location: Leuven, Belgium) <sipa@ulyssis.org>"
gpg: aka "Pieter Wuille (Location: Leuven, Belgium) <pieter@wuille.biz>"
gpg: aka "Pieter Wuille (Location: Leuven, Belgium) <pieter.wuille@gmail.com>"
gpg: aka "[jpeg image of size 6073]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: D762 373D 2490 4A3E 42F3 3B08 B9A4 08E7 1DAA C974
Subkey fingerprint: E3F8 2E40 73CC 179E 70F1 F44B 8F65 3255 C879 92E0
and
$ gpg --verify bitcoin-build.assert.sig
gpg: Signature made Wed 19 Sep 2012 03:36:41 AM NZST using RSA key ID 2346C9A6
gpg: Good signature from "Wladimir J. van der Laan <laanwj@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 71A3 B167 3540 5025 D447 E8F2 7481 0B01 2346 C9A6