If you run "sa-update -D" and see something like this:

[26406] dbg: gpg: calling gpg
[26406] dbg: gpg: gpg: Signature made Thu 18 Oct 2007 02:54:04 AM EDT using RSA key ID 24F434CE
[26406] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified
[26406] dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more 
information
[26406] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1192690444 1
[26406] dbg: gpg: gpg: Can't check signature: general error
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed
[26406] dbg: generic: cleaning up temporary directory/files
[26406] dbg: diag: updates complete, exiting with code 4

Then you need to download an updated sa-update key.

As bug 5775 describes, the GnuPG developers decided to create a new error condition for a potentially-dangerous signature style, which unfortunately was one we use for the SpamAssassin update-signing key.

Running this should fix it:

    wget http://spamassassin.apache.org/updates/GPG.KEY
    sa-update --import GPG.KEY
  • No labels