BAD signature ?

brodo · 05-05-2008, 03:52 AM

Sorry to bother you but am I missing something or so ?

bash-3.1$ gpg --verify slackware-12.1-install-dvd.iso.asc slackware-12.1-install-dvd.iso.md5
gpg: Signature made Fri 02 May 2008 01:45:50 AM CEST using DSA key ID 40102233
gpg: BAD signature from "Slackware Linux Project <security@slackware.com>"
bash-3.1$ ls -l
total 3959054
drwxrwxrwx 2 aaaa users 296 2008-03-07 01:21 1
-rw-r--r-- 1 aaaa users 580306 2008-05-05 10:39 CHECKSUMS.md5
-rw-r--r-- 1 aaaa users 197 2008-05-05 10:39 CHECKSUMS.md5.asc
-rw-r--r-- 1 aaaa users 197 2008-05-05 10:24 slackware-12.1-install-dvd.iso.asc
-rw-r--r-- 1 aaaa users 4049520640 2008-05-04 13:40 slackware-12.1-install-dvd.iso.iso
-rw-r--r-- 1 aaaa users 65 2008-05-05 10:24 slackware-12.1-install-dvd.iso.md5
bash-3.1$

Alien Bob · 05-05-2008, 04:29 AM

Just run

Code:

gpg --verify slackware-12.1-install-dvd.iso.asc

Eric

brodo · 05-05-2008, 04:46 AM

Quote:

Originally Posted by Alien Bob

Just run

Code:

gpg --verify slackware-12.1-install-dvd.iso.asc

Eric

Still sth wrong ....:-(..... :

bash-3.1$ gpg --verify slackware-12.1-install-dvd.iso.asc
gpg: no signed data
gpg: can't hash datafile: file open error
bash-3.1$

I've always used 2 arguments following the "gpg --verify" command : the *.asc fingerprint and the examined file.
The content of my directory is:

bash-3.1$ ls -l
total 3959054
drwxrwxrwx 2 aaaa users 296 2008-03-07 01:21 1
-rw-r--r-- 1 aaaa users 580306 2008-05-05 10:39 CHECKSUMS.md5
-rw-r--r-- 1 aaaa users 197 2008-05-05 10:39 CHECKSUMS.md5.asc
-rw-r--r-- 1 aaaa users 197 2008-05-05 10:24 slackware-12.1-install-dvd.iso.asc
-rw-r--r-- 1 aaaa users 4049520640 2008-05-04 13:40 slackware-12.1-install-dvd.iso.iso
-rw-r--r-- 1 aaaa users 65 2008-05-05 10:24 slackware-12.1-install-dvd.iso.md5

Randux · 05-05-2008, 05:57 AM

mv slackware-12.1-install-dvd.iso.iso slackware-12.1-install-dvd.iso

and try it again

Randux · 05-05-2008, 06:34 AM

Quote:

Originally Posted by brodo

I've always used 2 arguments following the "gpg --verify" command : the *.asc fingerprint and the examined file.

That's not required if the files are named properly. The .asc file is not a fingerprint, it's a digital signature which is created by hashing the file and then encrypting it with your private key. That way, anybody who has your public key can compute the same hash, and then decrypt your hash with your public key and compare it to the hash they calculated on the file itself. They must match, and only the person who has your private key could have created a file you can decrypt with your public key.

Anyway you used:

Code:

gpg --verify slackware-12.1-install-dvd.iso.asc slackware-12.1-install-dvd.iso.md5

which could never work. The second file should have been slackware-12.1-install-dvd.iso.iso but you used .md5 which is just another checksum file.

See my answer in the post above; you should not have created *.iso.iso. If you rename the file as I posted with the mv command you can simply do

gpg --verify slackware-12.1-install-dvd.iso.asc

and all will be well.

brodo · 05-05-2008, 08:02 AM

My fault.
Of course the slackware*iso.asc file corresponds to the slackware*.iso cd image, not the slackware*iso.md5 file !
As I've always been only verifying CHECKSUMS.md5 against CHECKSUMS.md5.asc I mistakenly thought that slackware*iso.asc is for checking slackware*iso.md5 file..

Anyway thanks for the explanation; maybe the sunny spring time was involved in this little mess