LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 03-02-2006, 11:05 AM   #1
minike
Member
 
Registered: Aug 2004
Location: Argentina
Distribution: slackware 12
Posts: 211

Rep: Reputation: 30
how to use gpg?


I'm traying to verify a tar.gz's signature, but don't know if I'm doing it worng, or the tarball is corrupted.. here I paste the command and the output:
Code:
$ gpg --verify ircii-pana-1.1-final.tar.gz.sig ircii-pana-1.1-final.tar.gz

gpg: Signature made Mon 12 Jul 2004 02:40:51 AM ART using DSA key ID 2132046F
gpg: Can't check signature: public key not found
so, isn't that .sig file the public key of the tarball? (or should I have MY own public signature?)

Any help is welcome
tanx in advance
 
Old 03-02-2006, 11:51 AM   #2
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
The .sig file is the signature of the tarball. You'll need the corresponding public key to verify the signature.
 
Old 03-02-2006, 12:27 PM   #3
minike
Member
 
Registered: Aug 2004
Location: Argentina
Distribution: slackware 12
Posts: 211

Original Poster
Rep: Reputation: 30
ok.. I've got the public key... I 'imported' to gpg thru the --import command, and then I executed the previos command, but nothing change.. what should I do (and how) with that .asc file (the public key), the .sig one (the signature) and the tarball ?
thanks 4 helping
 
Old 03-02-2006, 12:36 PM   #4
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
If it's the right key, do 'gpg --import KEYFILE.asc' and then do the verify step. If it still fails, use gpg --list-keys to make sure you have key 2132046F. If you don't, you need to find the right public key for it.
 
Old 03-02-2006, 02:10 PM   #5
minike
Member
 
Registered: Aug 2004
Location: Argentina
Distribution: slackware 12
Posts: 211

Original Poster
Rep: Reputation: 30
thanx again 4 takin' your time answering..
let's go step by step:

I found a .asc file who, once --imort-ed, made the "2132046F" string appear with the --list-keys command. the name of such file is "sin.asc", but this one says in its header "freeBSD", that's why -thinking it was just for bsd machines, the first one I've downloaded was another named powuh.asc, in which header figures "GNU/linux".
(both files in here: ftp://ftp.bitchx.org/pub/BitchX/gpgkeys/)
Importing such powuh.asc, the output was, as I said, the same than importing nothing.


Now, being imported the "sin.asc" and having the "2132046F" string within the list-keys, I made the --verify process, and the output was different, but remains not Ok ..

would U be so kind to tell me if this output is the normal way of gpg warning the signature is not ok, or if I'm still missing something... --and which should be my next step to assure the reliablility of the tarball
here's all of the outputs I get with gpg:

Code:
$ gpg --list-keys
/home/jp/.gnupg/pubring.gpg
---------------------------
pub  1024D/13D548DA 2003-04-18 Dan Muntz <powuh@bitchx.com>
uid                            Dan Muntz <dan@venoma.org>
uid                            Dan Muntz <powuh@bitchx.org>
sub  1024g/3122361A 2003-04-18

pub  1024D/2132046F 2004-07-12 Robert D. Andrews (RELI Networks, Inc. CEO/President) <randrews@relinetworks.com>
sub  2048g/4E393AB7 2004-07-12
Code:
$ gpg --verify ircii-pana-1.1-final.tar.gz.sig ircii-pana-1.1-final.tar.gz
gpg: Signature made Mon 12 Jul 2004 02:40:51 AM ART using DSA key ID 2132046F
gpg: Good signature from "Robert D. Andrews (RELI Networks, Inc. CEO/President) <randrews@relinetworks.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: F267 46E8 69BD 1AA4 1711  0254 EC50 E21A 2132 046F
 
Old 03-02-2006, 04:39 PM   #6
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
The signature has checked out fine. It is only saying that the key in use was not signed by someone you explicitly trust: which is quite often the case, and perfectly fine.
 
Old 03-02-2006, 05:40 PM   #7
minike
Member
 
Registered: Aug 2004
Location: Argentina
Distribution: slackware 12
Posts: 211

Original Poster
Rep: Reputation: 30
ok, so.. whenever I see that "good signature from.." it means the file is not corrupted, regardless the folowing lines, isn't it?

thanks 4 your Ur patient, and let me ask one more thing:
how do you knew the valid key was "sin.asc" instead of the "powuh.asc" that I've downloaded first? How can I distinguish the right one from several files like in this case?
best regards,
 
Old 03-02-2006, 06:42 PM   #8
dr_zayus69
Member
 
Registered: Sep 2004
Location: western massachusetts
Distribution: fedora core 3, Suse 10
Posts: 877

Rep: Reputation: 35
i think it was from this line in your posted output.

Code:
gpg: Signature made Mon 12 Jul 2004 02:40:51 AM ART using DSA key ID 2132046F
So you could tell from that you needed key 2132046F. I don't know where you would look to find it. Where did you find it? i thought maybe it would be at MIT's keyserver http://pgp.mit.edu/ I wouldn't know because i just started using gpg as well. good luck
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
gpg help. bruse Linux - Newbie 5 10-19-2005 01:18 AM
gpg --yes -e -r doctor_sniff Linux - Software 2 06-11-2005 12:21 AM
Using gpg? ginda Linux - Security 4 03-10-2005 09:13 AM
M2 and Gpg flux* Linux - Software 0 07-01-2004 01:29 PM
Gpg ? antken Linux - General 2 09-01-2002 10:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 07:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration