[SOLVED] How to use gpg to verify source files

FranekW · 05-23-2017, 06:01 AM

I have downloaded a couple of source files with corresponding signatures (the code below) but I have got errors.

For instance, I am trying to verify a signature using gpg2:

Code:

wget -c https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.21.tar.bz2
wget -c https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.21.tar.bz2.sig
gpg2 --verify libgpg-error-1.27.tar.bz2.sig libgpg-error-1.27.tar.bz2

but I have got this error:

Code:

gpg: Signature made Tue 28 Feb 2017 14:18:10 GMT using RSA key ID 4F25E3B6
gpg: Can't check signature: No public key
gpg: Signature made Tue 04 Apr 2017 12:04:32 BST using RSA key ID 33BD3F06
gpg: Can't check signature: No public key

They say on this website
https://gnupg.org/download/integrity_check.html

that if the output is like this, I should treat files as suspicious but I checked its checksum by sha1sum and every thing looks all right--the codes from website and generated by sha1sum match

Code:

mine: 1852c066bc21893bc52026ead78edf50fdf15e13
theirs: 1852c066bc21893bc52026ead78edf50fdf15e13

Why can't GPG signature get passed?

Thanks

hydrurga · 05-23-2017, 06:24 AM

From the page you linked to (my highlighting):

Quote:

If the output of the above command is similar to the following, then either you don't have our distribution keys (our signing keys are here) or the signature was generated by someone else and the file should be treated suspiciously.

The "treating as suspicious" option, which you assumed was the case, is only the second of two options.

FranekW · 05-23-2017, 08:42 AM

I found the link. Thanks

hydrurga · 05-23-2017, 08:50 AM

Quote:

Originally Posted by FranekW

I found the link. Thanks

Great. Let us know if you have any problems installing and trusting the GnuPG signature keys, and verifying the downloaded files using gpg2 --verify.

FranekW · 05-23-2017, 12:51 PM

Quote:

Originally Posted by hydrurga

Great. Let us know if you have any problems installing and trusting the GnuPG signature keys, and verifying the downloaded files using gpg2 --verify.

No problems now. I managed to import all keys and trust them. Once they are imported, everything works. This is the website where I found the keys:

https://gnupg.org/signature_key.html

Basically, gpg2 --import <file_with_keys> imports the keys. I also run gpg2 --edit-key <real name> on each key to open an interactive process and set a level of trust. After that, I had no further issues.

hydrurga · 05-23-2017, 01:44 PM

Splendid. Many thanks indeed for including those final steps so that anyone in the future reading this thread will know what to do.

Could you please mark the thread as "Solved"? (see "Thread Tools at the top of the thread)