There are two links for Fedora Legacy's GPG key - at 
http://www.fedoralegacy.org/about/security.php 
 
The two keys that you obtain by following them are different. I compared them 
because I was wanting to verify that the one for downloading hadn't been 
tampered with. 
 
Maybe this is how it is meant to be, but not being a GPG expert, I wouldn't 
know. If it is how it is meant to be, it ought to be explained on the website.



------- Additional Comments From Freedom_Lover@pobox.com 2004-02-13 11:23:19 ----

David,

I assume you downloaded both keys and ran diff or something on them?  If so,
that's expected.  The ASCII armoring of the keys can and often does differ, but
that's harmless.

What's important is that the key id and fingerprint are the same.  Importing the
keys into gpg indeed shows that they match.  The only difference between the key
on the website and the one on the keyserver is that the key on the keyserver is
signed by Jesse Keating, intrepid leader of the Legacy project.

There was a recent post on the gnupg-users list regarding the differences in
ASCI armored output between a local key export and that from a keyserver.  One
of the GnuPG developers, David Shaw, answered it here:

http://lists.gnupg.org/pipermail/gnupg-users/2004-January/021403.html

Hope this helps.

BTW, Jesse (if you're reading this), can you add a nnote to you TODO list to
check the fingerprint of the Legacy key and post that eother to the list or
confirm it to Eric so he can add that info to the website?



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:23 -------

This bug previously known as bug 1290 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1290
Originally filed under the Fedora Legacy product and General component.

Unknown priority P2. Setting to default priority "normal".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.