GPG verification keys don't match

Mark Peloquin markus at
Sat Apr 11 01:01:02 CEST 2020

Since TeX Live is distributed over HTTP (at least the mirror closest to me), I thought I'd add signature verification to my update script. However, the signing key doesn't look right. I checked a mirror and the main, and also a couple different .asc files. They both show 4CE1877E19438C70 as the public key:

% gpg --verify -v install-tl-windows.exe.sha512.asc
gpg: WARNING: unsafe permissions on homedir '/home/peloquin/.gnupg'
gpg: assuming signed data in 'install-tl-windows.exe.sha512'
gpg: Signature made 2020-04-06T05:51:16 PDT
gpg:                using RSA key 4CE1877E19438C70
gpg: Can't check signature: No public key

But this shows that it should be 0D5E5D9106BAB6BC:

I found the incorrect key appear before in this mailing list. The reply says 'the actual signature file is broken':


More information about the tex-live mailing list.