octave-4.2.1-w64-installer.exe signed with revoked key
To whom it may concern,
I would like to install octave on my windows machine, so I downloaded
octave-4.2.1-w64-installer.exe together with the corresponding
signature as well as gnu-keyring.gpg.
Signature verification is succesfull:
$ gpg --verify --keyring /d/home/gnupg/gnu-keyring.gpg
gpg: assuming signed data in `octave-4.2.1-w64-installer.exe'
gpg: Signature made Fri, Feb 24, 2017 2:30:57 PM RST using DSA key ID 5D36644B
gpg: Good signature from "John W. Eaton <[hidden email]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DBD9 C84E 39FE 1AAE 99F0 4446 B05F 05B7 5D36 644B
However, pgp.mit.edu as well as sks-keyservers.net report that the key
used for the signature was revoked nearly 3 years ago:
pub 1024R/5D36644B 2014-06-16 *** KEY REVOKED *** [not verified]
John W. Eaton <[hidden email]>
This sounds suspiciously. Could you please correct it?