I get a bad signature result from all current warrant canaries.
Can anyone else verify this? And why?
I’m curious why Kyle’s is crossed out on the cellular one.
How are you trying to verify them? You’ll need to use gpg --verify [file], and not gpg --check-sig [file] (which to me sounds like what one should use, but that looks like not the way to do it).
Using gpg --verify I get correct signatures:
gusnan@debian-i7:~/temp/purism_warrant_canary > LC_ALL=C gpg --verify hardware-warrant-canary-20220701.txt.sig.todd
gpg: armor header: Hash: SHA512
gpg: original file name=''
gpg: Signature made Thu Jun 30 19:36:35 2022 CEST
gpg: using RSA key B8CAACEAD94930F123C4642C23CF2E3D254514F7
gpg: using pgp trust model
gpg: Good signature from "Todd Weaver <todd@puri.sm>" [unknown]
gpg: aka "Todd Weaver <ceo@puri.sm>" [unknown]
gpg: aka "[jpeg image of size 3931]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B8CA ACEA D949 30F1 23C4 642C 23CF 2E3D 2545 14F7
gpg: textmode signature, digest algorithm SHA512, key algorithm rsa4096