ErCiccione[m]: Yeah will make a thread soonish

hi all, trying to verify fingerprints for the new gui release and running into some fuckery, good chance it comes down to me not being very adept with gpg but the hashes statement checks out with A valid signature, just not THE valid signature I find in the github

M0x1e[m]: i think the release is signed with a subkey, which makes it look like the fingerprints dont match. what output do you get from gpg --verify

using kleopatra rather than CLI but if the output statement is the same it's "Signed on 2019-12-13 14:30 with unknown certificate 0x94B738DD350132F5ACBEEA1D55432DF31CCD4FCD"

if I decrypt/verify using the asc file as a detached signature it gives me no signatures found instead

the hash itself in the statement does match the file, it's the signed hash statement itself that's thrown me off

the 0x94B7.... is fluffy's subkey

someone had the same issue a couple of weeks ago. i dont know about kleopatra but i think in gpg you had to trust fluffy's key instead of leaving it at the unknown trust level

I see. I had imported/certified the key and it was listed under trusted, I tried adjusting the trust level upward just now but it still parrots back the same output

gpg directly returned it fine, I guess kleopatra just doesn't handle sub keys well. thanks for the help

M0x1e[m]: thanks for verifying!