can't verify truecrypt downloads using gpg

ham bone · 12-23-2013, 03:35 AM

Can someone please explain exactly how to use gpg to verify truecrypt signatures? The manual and Google are clear as a mud, or when they were clear, they were old and failed. I've wasted two hours on this. gpg --verify just generates "file open errors," which are false since I don't open that which I cannot verify. I can import the key, from the mit keyserver, but gpg was useless, even cd into the files' directory did not help. gpg cannot read a tar.gz.sig file. Can't hash...blah,blah. Can't find a signature, etc. Yes, everything was downloaded more than once.
It's not me because there are similar post to this one on the web, and I've managed to get freebsd striped across two mirrors working, aka raid10. Simple commands are easy for me.
Help would be greatly appreciated.
Signed,
More than frustrated
Thanks in advance

ham bone · 12-23-2013, 09:05 PM

I am to believe that no one knows how to verify the pgp signature from truecrypt using gpg? I think the reason that no one wants to help me is that I expressed frustration with the fact that gpg documentation is old and outdated. That would be lame for I simply spoke the truth. Shame on you! Would you feel better if I had typed "I am just a stupid newbie." It's interesting to see both the quality and quantity of help that those individuals receive.
#
#
I would still appreciate and need help.
Thanks in advance for taking the time.

John VV · 12-24-2013, 01:14 AM

if you would include the link you are using
so that others can check it
then we might be able to help

we do not know if the sig is even for the current version
nor if that is the version you are trying to check

nor what operating system
I am guessing you are using Archlinux
but what 32 bit or 64 bit ?

from
http://www.truecrypt.org/downloads

for
truecrypt-7.1a-linux-x64.tar.gz
truecrypt-7.1a-linux-x64.tar.gz.sig
did you READ the WARNING pop up on the download ?

Quote:

Note: In the past, many users reported that our public key was invalid, even though it was actually valid. When verifying the signature, if you receive an error message stating that the signing key is invalid, you need to sign our public key with your private key first (then the error message will no longer appear).

In other words, the "Invalid Key" error message does NOT mean that our key is actually invalid (you just need to sign the key, after you add it to your keyring, in order to mark the key as trusted). That's how PGP and GPG work.

did you add it to your keyring ?

and did you READ the Arch wiki?
https://wiki.archlinux.org/index.php/TrueCrypt
and install the truecript repo
and install truecrypt
THE ARCH WAY !!! with packman