If you got "BAD Signature" this morning

The XZ tarballs for the following kernel releases did not initially pass signature verification due to benign changes to the tarball structure done by the pixz compression tool:

  • 4.11.1
  • 4.10.16
  • 4.9.28
  • 4.4.68

These changes would have resulted in GPG returning "Bad Signature" if you tried to verify their integrity. Once we identified the problem, we generated new XZ tarballs without tar header modifications and now they should all pass PGP signature verification.

We preserved the original .xz tarballs as -badsig files in the archives in case you wanted to verify that there was nothing malicious in them, merely tar header changes. You can find them in the same v4.x directory:

Our apologies for this problem and thanks to Brad Spengler and everyone else who alerted us about this issue.

Other resources