Hi all !,
how can i verify the source file signature in linux ? i have 2 files called file.tar.gz and file.tar.sig

thanks in advance.

regards,
visu

gpg --verify <file>.sig <file>

Or, in your specific case:

$ gpg --verify file.tar.gz.sig file.tar.gz

Hope this helps.

hello
Thanks a lot , it did with gpg commmand i got the following messages:

[user@linux1 Sources]$ gpg --verify nut-1.4.1.tar.gz.sig nut-1.4.1.tar.gz
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: /home/user/.gnupg: directory created
gpg: new configuration file `/home/user/.gnupg/gpg.conf' created
gpg: keyblock resource `/home/user/.gnupg/pubring.gpg': file open error
gpg: Signature made Sat Dec 6 10:18:33 2003 CET using DSA key ID 9DC0E77E
gpg: Can't check signature: public key not found

and also how can i check with md5 files ?



any idea ?

Thanks ,

visu

If you read the output, it says you don't have the public key. In cryptography, in order to verify a signature, you need the public key from the person who signed the file. If you want to verify a md5 hash, you can use the md5sum command.

here's a quick bash script I use to authenticate files. It creates a "venders.gpg" key ring that public keys are imported to instead of your default keyring. Also it will check md5, sha1, and sha256 hashes if present.

#!/bin/sh
VENDOR_KEYRING=vendors.gpg
if [ -e "$1.sig" ]
then KEYID="0x`gpg --verify $1.sig $1 2>&1 | grep 'key ID' | awk '{print $NF}'`"
gpg --no-default-keyring --keyring $VENDOR_KEYRING --recv-key $KEYID
gpg --keyring $VENDOR_KEYRING --verify $1.sig $1
elif [ -e "$1.asc" ]
then KEYID="0x`gpg --verify $1.asc $1 2>&1 | grep 'key ID' | awk '{print $NF}'`"
gpg --no-default-keyring --keyring $VENDOR_KEYRING --recv-key $KEYID
gpg --keyring $VENDOR_KEYRING --verify $1.asc $1
else echo "No GPG signature File"
fi
if [ -e "$1.md5" ]
then if md5sum $1 | diff -i - $1.md5 2> /dev/null
then echo "Md5 hash match!"
else echo "Md5 hash does not match!"
fi
else "Md5 hash file not found."
fi
if [ -e "$1.sha1" ]
then if sha1sum $1 | diff -i - $1.sha1 2> /dev/null
then echo "Sha1 hash match!"
else echo "Sha1 hash does not match!"
fi
else echo "Sha1 hash file not found."
fi
if [ -e "$1.sha256" ]
then if sha256sum $1 | diff -i - $1.sha256 2> /dev/null
then echo "Sha256 hash match!"
else echo "Sha256 hash does not match!"
fi
else "Sha256 hash file not found."
fi
exit 0

Thanks for the script. I know BASH, but the verification stuff has always been a mystery, until now.

I did a few tweaks, posted below. Added comments, fixed a couple of typos, but mostly added the --keyserver pgp.mit.edu specification to specify a specific key server. gnupg.conf allows you to specify a default key server, but only with an HKP address:
QUOTE
# If you have problems connecting to a HKP server through a buggy http
# proxy, you can use keyserver option broken-http-proxy (see below),
# but first you should make sure that you have read the man page
# regarding proxies (keyserver option honor-http-proxy)
UNQUOTE
My gpg.conf could not decipher this with the setting
keyserver hkp://subkeys.pgp.net
so it is just easier to add it to the receive line.

Thank you again for the excellent illumination!!



Kind regards, Andy


============== Amended Script ==============
#!/bin/sh
# This routine was written by "Amerefelie"
# https://www.linuxquestions.org/quest...nature-137111/
#Last updated 090507 by Andy Lavarre alavarre@gmail.com to insert comment analysis documentation
#Last edited 081231 by Amerefelieat 07:58 AM.. Reason: updated script for hash test fail.
#Usage:
# tar_verify $1
# where $1 is the name of the xxx.tar.gz file
# Name the key ring
VENDOR_KEYRING=vendors.gpg
# Report the input
echo "tar file is "$1
# If the signature file xxx.tar.gz.sig exists
if [ -e "$1.sig" ]
# Then strip off the name of the file
then KEYID="0x`gpg --verify $1.sig $1 2>&1 | grep 'key ID' | awk '{print $NF}'`"
echo "The key ID is "$KEYID
# Pull the public key from the default key server to the Vendor keyring
gpg --no-default-keyring --keyring $VENDOR_KEYRING --keyserver pgp.mit.edu --recv-key $KEYID
# Verify the file
gpg --keyring $VENDOR_KEYRING --verify $1.sig $1
# Otherwise, if the signature file is an ASCII
elif [ -e "$1.asc" ]
# Then strip off the name of the file
then KEYID="0x`gpg --verify $1.asc $1 2>&1 | grep 'key ID' | awk '{print $NF}'`"
echo "The key ID is "$KEYID
# Pull the public key from the default key server to the Vendor keyring
gpg --no-default-keyring --keyring $VENDOR_KEYRING --keyserver pgp.mit.edu --recv-key $KEYID
# Verify the file
gpg --keyring $VENDOR_KEYRING --verify $1.asc $1
# Otherwise complain that it does not exist
else echo "No GPG signature File"
# Finish
fi
# Now if not PGP/GPG, but an MD5 instead and the hash file exists
if [ -e "$1.md5" ]
# Then calculate the MD5 hash and compare to the hash file; if the same
then if md5sum $1 | diff -i - $1.md5 2> /dev/null
# Then success
then echo "Md5 hash match!"
# Otherwise complain
else echo "Md5 hash does not match!"
# Finish
fi
# Otherwise complain that it does not exist
else echo "Md5 hash file not found."
# Finish
fi
# Now if not PGP/GPG, but an sha1 instead and the hash file exists
if [ -e "$1.sha1" ]
# Then calculate the sha1 hash and compare to the hash file; if the same
then if sha1sum $1 | diff -i - $1.sha1 2> /dev/null
# Then success
then echo "Sha1 hash match!"
# Otherwise complain
else echo "Sha1 hash does not match!"
# Finish
fi
# Otherwise complain that it does not exist
else echo "Sha1 hash file not found."
# Finish
fi
# Now if not PGP/GPG, but an sha256 instead and the hash file exists
if [ -e "$1.sha256" ]
# Then calculate the sha1 hash and compare to the hash file; if the same
# Then success
then if sha256sum $1 | diff -i - $1.sha256 2> /dev/null
# Then success
then echo "Sha256 hash match!"
# Otherwise complain
else echo "Sha256 hash does not match!"
# Finish
fi
# Otherwise complain that it does not exist
else echo "Sha256 hash file not found."
# Finish
fi
# Quit
exit 0