GPG sig does not verify


$ gpg --verify moc-2.6-alpha3.tar.asc moc-2.6-alpha3.tar.xz gpg: Signature made Wed 16 Nov 2016 02:13:12 AM CET using RSA key ID 2885A7AA gpg: BAD signature from "MOC Release Signing Key"

This despite the fact that the MD5 hashes match those given on moc's website, both for the signature and the source tarball. I have gpg version 1.4.22, while the signature was made with 1.4.10, but that shouldn't be a problem.

According to the MOC README:

... verify the tarball thusly:

xzcat moc-2.6-alpha3.tar.xz | gpg --verify moc-2.6-alpha3.tar.asc -

The signature file (*.asc) was made against the uncompressed tarball, ...

But you were right to verify it and not proceed further if you didn't get a good result.