PGP signatures.

stf92 · 08-08-2010, 06:01 PM

Hi:

I have a file MPlayer.tar.gz (a slackbuild) and it came along with MPlayer.tar.gz.asc, whose contents is this:

Code:

root@darkstar:/big/store1/soft/mplayer/mplayerhq# cat MPlayer.tar.gz.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQBH3qifA2jvV5x7o7YRAp2rAJ0fQMB8wgePyGNqaBZqx1l3EpzMywCeIScD
sDj2Sn+F8aSxaqy4GPGHRD8=
=RMWi
-----END PGP SIGNATURE-----
root@darkstar:/big/store1/soft/mplayer/mplayerhq#

Code:

root@darkstar:/big/store1/soft/mplayer/mplayerhq# gpgv MPlayer.tar.gz.asc
gpgv: keyblock resource `/root/.gnupg/trustedkeys.gpg': general error
gpgv: Signature made Mon 17 Mar 2008 02:21:35 PM ART using DSA key ID 9C7BA3B6
gpgv: Can't check signature: public key not found

You see what I did. But it is evident I'm doing something wrong (I'd say, all wrong). What do I do with the .asc? Thanks in advance.

EDIT: in another post I saw somebody using gpg. I tried but it failed too.

alan99 · 08-09-2010, 11:31 PM

You don't really have to do anything with it if you don't want to.
If you trust the source of the package, you can just use it, otherwise
you have to find and download the public key of the source of the software to verify that
the software is from who you think it is and hasn't been tampered with.

stf92 · 08-12-2010, 04:08 AM

Hi alan99 and forgive my delay. I now understand. I thought the PGP signature was about checking the received file was an exact copy of the sent file. Kind of a checksum. I now see I was wrong. But then why does slackbuilds not send a checksum in addition to the .asc file? Well, thanks for your kind reply.

alan99 · 08-12-2010, 06:16 PM

Quote:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.14 (GNU/Linux)

mQGiBEW7wrQRBACGHoowXtnvW1U6Edzscu7vv1ZOnt62bAWlSp6wrHowfu7ienyI
/VsqEnu+X0H850Nq7Lv1xWPWurkTnuyTGJaP58206xM0GjG7nhGrh8N1kYQ0P0oI
lXgUnHu0mpjixHfjpzztwfS5Z6vBMJeKVbV4Bme5eelvcFNle5RtihwpUwCgwP0B
EzkyLvxfJEPZwTeq+3Cd3f8D/jdhWv5dOw/zdyiDVenZyfK171K6HS3fNNaphDqR
faow5P7v9iZeRnXtEz7eMcEPYEciAjeQhb1JdUut+8yL5uDNvmrD3hYnEwHk6Ncl
mVy3KDbWdxO+obU5uYpBYyY11sjpil5nF+af2wY5zkNAvR2+Y0mWQjCJ6Qt0Q+xR
+zdwA/0VNfH30DGgvYfU6uByIqGRcgqR7qYJiauvkr6NlGZFGz0qYUu1rhvwEmdI
7rLYsx8GnV9YSsCn34yJoXm8B9BTuYNbwfiiVW5TZw8i5dxv7HSkBchrDlCKJhDi
VjM2WFk68x2urSJCygm9Vm3rkGFn2KlGZlcz3Wd4mdfW8F059rREU2xhY2tCdWls
ZHMub3JnIERldmVsb3BtZW50IFRlYW0gPHNsYWNrYnVpbGRzLWRldmVsQHNsYWNr
YnVpbGRzLm9yZz6IRgQQEQIABgUCRbvMVgAKCRDx1ZeZdrIMLE/6AJ4nDWfamMAH
Z5zWW8tyzj2ZmGyIYwCeN6NNf3aaSt7H9lot0tCERdF2YV+IRgQQEQIABgUCRbvO
jQAKCRBeVqqvp1y9oGOpAJ49nXc7ReT1NOc/LY9JVhTOekKoCwCgjEdDDbQla2dV
pnKPl02ZcM8KItOIRgQQEQIABgUCRbvRMwAKCRBX2yy36rrde4uHAJ4hVgVR/YZ5
iuZ0NCKViSyWs4E/6wCaAi1l2BLd2Z8uLGrUVZBdu0JmdzmIRgQQEQIABgUCRcq3
ggAKCRAVG8i99I1x6gGQAJ432wqJ8CnaDlowqSi2RpBG1wKo0ACcCfkVzbouDTJ3
Iv1ohN+uSnEa7wuIRgQQEQIABgUCSWIfJwAKCRByw5WJLFQCv84OAKCOasJLgD0F
c2hIVdgDJxGyCgfLJACeI1LQNoBQrAWw2U/FewxnUyQh+1yIRgQTEQIABgUCRbvD
RgAKCRDtA+9A0OUvBGFOAJ9mdrpGIcdyo5gN+hJMRD5FUVDxhwCfabeJcIQMtSsW
bk+mplmChC2leO+IRgQTEQIABgUCRbvDdQAKCRCNAbp8vZqIDhAkAKCPWCf7rRkA
bk1BNbi7W6kmKxsvPwCeN/Ngsr5CDl7FXCncCdn6FeSWLw+IYAQTEQIAIAUCRbvC
tAIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEANo71ece6O2k/gAmwXsZIv8
3hxD9lnAAHrHCd4W4G0/AKCwVlX8jj2UFdF9PEPRw/0wB2mhKrkCDQRFu8LQEAgA
x0h1F8qyggHavyVXyhJfYYX/oVIQRppgRjxWmtBJPvoquDTe/Ch1pX9IdLcR7mji
/ABa2fajdLlqU0R8qKJ7lL9aEq9AFyP4TdRFT8aV8P+jJ3HEYWpV/HY28O1tae/x
KdlmkL+WL0iqHYq+Dd5bcp/oNTuo9oLyRwi/TkroR+bu/EUbjuuLuywXB/9CAAsN
wEFY8SqlMcdZ0tBqQWzvlptNDq6igzvt20QQNDevgF7aFgumddCJebVN892xK0T/
bA1p6TOZzztmh98tKAFYAPQiaJLpu5wk0q8s1u1VqraN+kt8rj0i06X8u5iaGo9Q
5uJM63j/yYLRHAv3Z45jHwADBwf+OnPfd/4xENYeACaKHiUdQNmh/xwe5pxLVCfz
lfVHg11dJwOu47O4YZgZNugQMye7qGD29qo2BxiPYceCV0FhpSd5IeYD+Z2hOhTo
yAadWEHajLCbXtI0GaIr3OcjA3Qv7iYPJr6yyEulypJ/t62HFITAHCYu7Koo3HoS
LE8/DW8XsFkCYNSZUB3QjLSDlMmkkiTTXir79A94lEGrD+QOnkz1NhTjhQxhyl0P
EgoL371P3G5vQaRDFKFiN+0p8qpVJJbkHsrL4t3PDk71qCOkAMfe/zanrs5/yWuc
k6G3WJmMs56EO23dRWK4Da6SCbfliwVKd8ZKaUm09ChpRaf13ohJBBgRAgAJBQJF
u8LQAhsMAAoJEANo71ece6O2MYEAnAwq32EdW1TQ4SPrKVBrCDCvacI2AJ0fJ6sR
sznGAOmqpiyZ5f0968vKuQ==
=HvxO
-----END PGP PUBLIC KEY BLOCK-----

Here is the public key using key ID 9C7BA3B6 unfortunately my check on the signature said it was bad, but you can try it yourself.

alan99 · 08-12-2010, 06:43 PM

I was looking on the Slackware-build repository and I guess the reason there is no MD5 checksum is that you have to get the source code from the Mplayer site. I think the package they have there is just for a theme for it, unless I am mistaken. I don't know whether that is were you got it, or from some third party.

alan99 · 08-12-2010, 07:03 PM

ps, I tried downloading those two files (don't know if they were the same version as yours), and the signature did check out (not using comand line) I have gpa and seahorse installed and after importing the public key all I have to do is double click on the signature in nautilus and a box pops up telling me the signature is valid.

stf92 · 08-12-2010, 11:30 PM

Hi:

In slackbuilds.org, using the Search feature, you can search for 'mplayer' and slack version '12.0'. You'll be presented with a link for mplayer for 12.0. Clicking, you'll find three files: the sources packages with MD5 checksum displayed beside the link, the package containing the slackbuilds script (MPlayer.tar.gz) and a PGP signature file for that package (MPlayer.tar.gz.asc). But no MD5 checksum for MPlayer.tar.gz.

However, I learn in wikipedia PGP can also do integrity checking of plain text, besides determining whether the sender is the claimed sender.

Enrique.