Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm having a really hard time using gpg to verify files, namely because I don't know where the hell to start. I've already browsed through countless similar threads, but none of them made me any wiser.
Now, I have downloaded gcc-4.1.1.tar.bz2 and it's sig file gcc-4.1.1.tar.bz2.sig.
How exactly do I go about verifying the bz2 archive using the sig file? I know it involves downloading a public key, but I honestly have no idea how to do so, and I can't find any pointers/instructions on the gnu main page.
Some threads mentioned using something like gpg --keyserver wwwkeys.gnu.org --import <ID>, but I have absolutely no idea what ID to use and how to obtain it. I'm overlooking something very obvious, I'm sure, but what?
Note that on our system the commands pgp and gpg are synonymous.
Also, wherever it makes sense, the --armor flag will produce ASCII rather than binary output; the --sign option will let you sign the message; the -v or --verbose flag provides more details on what's going on; and the --output option will let you choose a non-default filename for the result.
generate a new secret key:
gpg --gen-key
listing keys, with fingerprint:
gpg --fingerprint --list-keys
exporting cleartext public key to an ASCII file:
gpg --output file --armor --export behr@math.niu.edu
signing someone's public key with your secret key:
gpg --sign-key keyID
importing keys from file:
gpg --import file
encrypting a file (you must have the recipient's key on the keyring):
gpg --encrypt --recipient rickert@cs.niu.edu file
(then e.g. mail as an attachment)
decrypting a received file:
gpg --decrypt file
encrypting with a symmetric (non public) cipher:
gpg --symmetric file
(best to use a different passphrase than the one for private key)
this produces file.gpg; then decrypt it simply with
gpg file.gpg
signing a text file (e.g. for mail), output in file.asc:
gpg --clearsign file
signing a file (binary output in file.gpg):
gpg --sign file
verifying a signed file without unpacking the original:
gpg --verify file
creating a detached signature (file unchanged, signature in file.sig):
gpg --detach-sig file
verifying a detached signature of a file:
gpg --verify file.sig
Thank you for the generic RTFM answer, but I'm sorry to say it doesn't answer my question at all. I have read the basic documentation about gpg.
I guess my problem isn't how to use gpg, but rather how to obtain a public key from gnu.org. How would I download a local copy of a public key from gnu.org? Where is the public key I need, and how do I obtain it?
Really didn't mean to give the RTMF answer I guess that is what I gathered from the information you provided earlier. Ok this might be if assistance and promise it isn't a RTMF answer.
where key number should be provided by the people you are downloading the file you are verifying, also the server subkeys.pgp.net could be different so you might want to ask them that too. Then offcourse
Quote:
gpg --verify <signature file> <downloaded file>
Again not my intention to post an RTFM answer. I have gone through that believe me.
Retrieve the listed keys from your preferred keyserver..
i.e. gpg --keyserver pgp.mit.edu --recv-key 0x745C015A
Many, many thanks. That's exactly what I was looking for. Still, listing the keys on the mirrors.html page? I'd never have thought to look there, it makes no sense. Ugh..
Quote:
Originally Posted by sheryco
Again not my intention to post an RTFM answer. I have gone through that believe me.
No problem, we're all friends here.
Anyway, I got it working now, the only problem is that gpg outputs that the key isn't "trusted", but I hear it's really a minor issue and I'm sure I can figure it out by myself anyhow.
Oh, and it seems I misunderstood gpg's purpose from the very start, gpg can't be used to check for data corruption in files, can it? If not, then I wonder why sites like gnu only put up sign files and not sha1/md5.
well you can sign a file with gpg. then use gpg to check the signature. if the file has been changed in any way the signature check should fail.. also if thew file fai the signatre check it could mean someone else put the file there instead of the key owner.. either way if the check fails don't trust the file.
untrusted just means you haven't set the key trust level on your end. just having a key in your ring doesn't mean you explicitly trust that key. there are about 5 levels of trust you can set for a key.
A good way to get familiar with gpg is to install thunderbird and the enimail plugin then you have a nice interface you can use to manage gpg keys for your email. you can visually see the trust levels set, the keys you have countersigned, and submitted back to the key servers etc..
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.