LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-23-2017, 06:01 AM   #1
FranekW
LQ Newbie
 
Registered: Apr 2017
Distribution: CentOS 7
Posts: 29

Rep: Reputation: Disabled
How to use gpg to verify source files


I have downloaded a couple of source files with corresponding signatures (the code below) but I have got errors.

For instance, I am trying to verify a signature using gpg2:

Code:
wget -c https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.21.tar.bz2
wget -c https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.21.tar.bz2.sig
gpg2 --verify libgpg-error-1.27.tar.bz2.sig libgpg-error-1.27.tar.bz2
but I have got this error:

Code:
gpg: Signature made Tue 28 Feb 2017 14:18:10 GMT using RSA key ID 4F25E3B6
gpg: Can't check signature: No public key
gpg: Signature made Tue 04 Apr 2017 12:04:32 BST using RSA key ID 33BD3F06
gpg: Can't check signature: No public key
They say on this website
https://gnupg.org/download/integrity_check.html

that if the output is like this, I should treat files as suspicious but I checked its checksum by sha1sum and every thing looks all right--the codes from website and generated by sha1sum match

Code:
mine: 1852c066bc21893bc52026ead78edf50fdf15e13
theirs: 1852c066bc21893bc52026ead78edf50fdf15e13
Why can't GPG signature get passed?

Thanks
 
Old 05-23-2017, 06:24 AM   #2
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 20 MATE
Posts: 8,048
Blog Entries: 5

Rep: Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917
From the page you linked to (my highlighting):

Quote:
If the output of the above command is similar to the following, then either you don't have our distribution keys (our signing keys are here) or the signature was generated by someone else and the file should be treated suspiciously.
The "treating as suspicious" option, which you assumed was the case, is only the second of two options.

Last edited by hydrurga; 05-23-2017 at 06:26 AM.
 
Old 05-23-2017, 08:42 AM   #3
FranekW
LQ Newbie
 
Registered: Apr 2017
Distribution: CentOS 7
Posts: 29

Original Poster
Rep: Reputation: Disabled
I found the link. Thanks
 
Old 05-23-2017, 08:50 AM   #4
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 20 MATE
Posts: 8,048
Blog Entries: 5

Rep: Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917
Quote:
Originally Posted by FranekW View Post
I found the link. Thanks
Great. Let us know if you have any problems installing and trusting the GnuPG signature keys, and verifying the downloaded files using gpg2 --verify.
 
Old 05-23-2017, 12:51 PM   #5
FranekW
LQ Newbie
 
Registered: Apr 2017
Distribution: CentOS 7
Posts: 29

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by hydrurga View Post
Great. Let us know if you have any problems installing and trusting the GnuPG signature keys, and verifying the downloaded files using gpg2 --verify.
No problems now. I managed to import all keys and trust them. Once they are imported, everything works. This is the website where I found the keys:

https://gnupg.org/signature_key.html

Basically, gpg2 --import <file_with_keys> imports the keys. I also run gpg2 --edit-key <real name> on each key to open an interactive process and set a level of trust. After that, I had no further issues.
 
1 members found this post helpful.
Old 05-23-2017, 01:44 PM   #6
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 20 MATE
Posts: 8,048
Blog Entries: 5

Rep: Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917Reputation: 2917
Splendid. Many thanks indeed for including those final steps so that anyone in the future reading this thread will know what to do.

Could you please mark the thread as "Solved"? (see "Thread Tools at the top of the thread)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
can't verify truecrypt downloads using gpg ham bone Linux - Software 2 12-24-2013 01:14 AM
[Solved] gpg --verify ... WARNING ? stringchopper Linux - Security 7 03-04-2013 06:03 PM
[SOLVED] gpg --verify <filename>: what does it really do? stf92 Slackware 14 07-18-2012 01:02 PM
gpg --verify multiple files Phorize Slackware 8 06-22-2011 07:25 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 04:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration