Hi, I'm in the habit of checking release signatures before I install
from source. I see in the Download area there are signatures for each
of the Guile releases, but I can't seem to find the right public key. I
imported the project key chain and then (re?)imported the keys listed
for each of the project admins, but no luck.
--
Christopher Howard
Computer Assistant
Alaska Satellite Internet
3239 La Ree Way
Fairbanks, Alaska 99709
1-888-396-5623
https://alaskasatelliteinternet.com
personal web site: https://qlfiles.net
https://emailselfdefense.fsf.org/en/

Hello,

I think the key is revoked because the key owner (Andy Wingo)'s laptop
is stolen:

***@debian:/tmp$ LC_ALL=C torsocks gpg --verify guile-2.2.2.tar.xz.sig guile-2.2.2.tar.xz
gpg: Signature made Fri Apr 21 22:33:48 2017 CST
gpg: using RSA key FF478FB264DE32EC296725A3DDC0F5358812F8F2
gpg: Good signature from "Andy Wingo <***@pobox.com>" [unknown]
gpg: aka "Andy Wingo <***@gnu.org>" [unknown]
gpg: aka "Andy Wingo <***@igalia.com>" [unknown]
gpg: WARNING: This key has been revoked by its owner!
gpg: This could mean that the signature is forged.
gpg: reason for revocation: Key has been compromised
gpg: revocation comment: Laptop stolen 7 August 2017.
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FF47 8FB2 64DE 32EC 2967 25A3 DDC0 F535 8812 F8F2