how to verify signature without .sig file
I wonder how do I verify signatures in cases like this one, http://www.balabit.com/downloads/syslog-ng/2.0/src/ only have the following files to download:
syslog-ng-2.0.0.tar.gz File 329.64k 10/28/2006 syslog-ng-2.0.0.tar.gz.asc File 191 10/28/2006 syslog-ng-2.0.1.tar.gz File 340.35k 12/22/2006 syslog-ng-2.0.1.tar.gz.asc File 189 12/22/2006 syslog-ng-2.0.2.tar.gz File 344.24k 01/29/2007 syslog-ng-2.0.2.tar.gz.asc .............. that's the general idea. I've seen it in a couple of websites already, how do I get the .sig file so I can verify the signature with the .asc file. How do I verify the signature if they only provide the .asc file but not the .sig file. thanks. |
I knew would be an stupid question, just in case someone else wonder how to do it, I paste the answer here
-----> gpg --verify syslog-ng-2.0.2.tar.gz.asc syslog-ng-2.0.2.tar.gz gpg: Signature made Mon 29 Jan 2007 03:20:17 AM MST using DSA key ID ADCF4138 gpg: Can't check signature: public key not found -----> gpg --keyserver pgp.mit.edu --recv-keys ADCF4138 gpg: requesting key ADCF4138 from hkp server pgp.mit.edu gpg: key ADCF4138: public key "Balazs Scheidler <bazsi@balabit.hu>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 ------>gpg --verify syslog-ng-2.0.2.tar.gz.asc syslog-ng-2.0.2.tar.gz gpg: Signature made Mon 29 Jan 2007 03:20:17 AM MST using DSA key ID ADCF4138 gpg: Good signature from "Balazs Scheidler <bazsi@balabit.hu>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8038 B76C B92A 661D E4EF 222D B613 44D0 ADCF 4138 |
All times are GMT -5. The time now is 05:11 PM. |