octave-4.2.1-w64-installer.exe signed with revoked key

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

octave-4.2.1-w64-installer.exe signed with revoked key

Petr Tobiška
To whom it may concern,

I would like to install octave on my windows machine, so I downloaded
octave-4.2.1-w64-installer.exe together with the corresponding
signature as well as gnu-keyring.gpg.

Signature verification is succesfull:
$  gpg --verify --keyring /d/home/gnupg/gnu-keyring.gpg
gpg: assuming signed data in `octave-4.2.1-w64-installer.exe'
gpg: Signature made Fri, Feb 24, 2017  2:30:57 PM RST using DSA key ID 5D36644B
gpg: Good signature from "John W. Eaton <[hidden email]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DBD9 C84E 39FE 1AAE 99F0  4446 B05F 05B7 5D36 644B

However, pgp.mit.edu as well as sks-keyservers.net report that the key
used for the signature was revoked nearly 3 years ago:

pub  1024R/5D36644B 2014-06-16 *** KEY REVOKED *** [not verified]
                               John W. Eaton <[hidden email]>

This sounds suspiciously. Could you please correct it?

Thanks and best regards,

Petr Tobiska