Thanks. I'm getting concerned though...
On this page, there is a message posted and signed by Wladimir:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-June/009045.html-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello,
Starting with 0.11.0rc3, SHA256SUMS.asc will be signed with the following key:
pub 4096R/36C2E964 2015-06-24 Wladimir J. van der Laan (Bitcoin Core binary release signing key)
Primary key fingerprint: 01EA 5486 DE18 A882 D4C2 6845 90C8 019E 36C2 E964
For gitian and commit signing I will keep using this key.
Wladimir
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCgAGBQJViphCAAoJEHSBCwEjRsmmtRoIALBzJMGXzoj5t9OQSedxjnjP
sxfHuBwQxeuPYXbRlMjY5UZhmabbt0/mLRfVSdscnCzp0YxbMRwD7I6MdHqXyBtd
oS+TUfMNir5lk7Ti2hRStgvxqsAbHUJ08LlqpJXV5dq3QgeJyJwZM76a6yyaGwxP
SwqvKklQZ/qdrKOgjjn6d5HywgsmybJSDzEDR3k+ogkLsfM1jcpqZhwFeRVpk94m
SgZGLLx5zAIKcLHn4I1FaZ+OAmmS0ukYcmotMOUk6NBEjHTDfjEFBrbrlwvL4G7r
kjd1mRxkaJMxX3nJicXiEQClVoeUrMVyJrrsTGyPixSicdQbItuyLWXm37fAfE0=
=4v49
-----END PGP SIGNATURE-----
For some reason, when I try to verify this message with PGP (Symantec Encryption Desktop 10.3.0), using the same key, I signed **years** ago in my PGP keyring, and that still shows as verified, I am getting a mismatch:
*** PGP SIGNATURE VERIFICATION ***
*** Status: Bad Signature
*** Alert: Signature did not verify. Message has been altered.
*** Signer: Wladimir J. van der Laan (0x2346C9A6)
*** Signed: 6/24/2015 1:45:06 PM
*** Verified: 8/25/2016 4:03:21 AM
*** BEGIN PGP VERIFIED MESSAGE ***
Hello,
Starting with 0.11.0rc3, SHA256SUMS.asc will be signed with the following key:
pub 4096R/36C2E964 2015-06-24 Wladimir J. van der Laan (Bitcoin Core binary release signing key)
Primary key fingerprint: 01EA 5486 DE18 A882 D4C2 6845 90C8 019E 36C2 E964
For gitian and commit signing I will keep using this key.
Wladimir
*** END PGP VERIFIED MESSAGE ***
The key signature matches! Is there some possible incompatibility between PGP and GPG? Some whitespace / line endings mismatch?
Given, that "state-sponsored" attackers are suspected to be a risk, I'm starting to get paranoid now!!! This is the first time I think I've ever seen verifications fail.
Can anyone else verify the signature on that message with Wladimir's key?