SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm having so difficulty verifying the .sig file from keepassx, so this is what I have done
1. downloaded keepassx-2.0.3.tar.gz and keepassx-2.0.3.tar.gz.sig
2. type $ gpg --verify keepassx-2.0.3.tar.gz.sig
gpg: assuming signed data in `keepassx-2.0.3.tar.gz'
gpg: Signature made Sun 04 Sep 2016 02:51:46 PM MDT using RSA key ID 83135D45
gpg: Can't check signature: public key not found
so then I tried
3. $ gpg --recv-keys 83135D45
gpg: no keyserver known (use option --keyserver)
gpg: keyserver receive failed: bad URI
4. I did try the --keyserver option but I dont think keepass has a keyserver
gpg: requesting key 83135D45 from hkp server keepassx.org
but nothing happens not even after a couple of minutes
I have tried lots of suggestion on line but nothing work, I hope someone can help me
Last edited by Slakerlife; 01-20-2017 at 09:44 PM.
Hello, thanks for the replay, yes I say that website will trying to find a solution, but at the time I didn't understand why the author was sending me to "pgpkeys.mit.edu" but after you posted I did some research and found that MIT is a host of pgp keys for other projects or at least that what I think, then I realized that I can also use http://keyserver.ubuntu.com/ and I believe debian also has a keyserver, hopefully im right
I was wondering, does slackware host a keyserver for others?
Last edited by Slakerlife; 01-21-2017 at 10:36 AM.
Reason: had another question
hopefully no one finds this questions dumb as im still learning and would like to do think properly. ok so know that I can verify the package what is the correct command to verify is it just the .sig file by itself as my first output or is it with .sig and the tar file like my second output? I don't see what the difference is
Code:
bash-4.3$ gpg --verify keepassx-2.0.3.tar.gz.sig
gpg: assuming signed data in `keepassx-2.0.3.tar.gz'
gpg: Signature made Sun 04 Sep 2016 02:51:46 PM MDT using RSA key ID 83135D45
gpg: Good signature from "Felix Geyer <felix@fobos.de>"
gpg: aka "Felix Geyer <debfx@fobos.de>"
gpg: aka "Felix Geyer <debfx@ubuntu.com>"
gpg: aka "Felix Geyer <debfx@kubuntu.org>"
gpg: aka "Felix Geyer <fgeyer@debian.org>"
gpg: aka "Felix Geyer <debfx-pkg@fobos.de>"
gpg: aka "Felix Geyer <felix.geyer@fobos.de>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 164C 7051 2F79 2947 6764 AB56 FE22 C6FD 8313 5D45
or should I add the package after the .sig file like this
Code:
bash-4.3$ gpg --verify keepassx-2.0.3.tar.gz.sig keepassx-2.0.3.tar.gz
gpg: Signature made Sun 04 Sep 2016 02:51:46 PM MDT using RSA key ID 83135D45
gpg: Good signature from "Felix Geyer <felix@fobos.de>"
gpg: aka "Felix Geyer <debfx@fobos.de>"
gpg: aka "Felix Geyer <debfx@ubuntu.com>"
gpg: aka "Felix Geyer <debfx@kubuntu.org>"
gpg: aka "Felix Geyer <fgeyer@debian.org>"
gpg: aka "Felix Geyer <debfx-pkg@fobos.de>"
gpg: aka "Felix Geyer <felix.geyer@fobos.de>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 164C 7051 2F79 2947 6764 AB56 FE22 C6FD 8313 5D45
thanks
Last edited by Slakerlife; 01-21-2017 at 11:33 AM.
Reason: added some words
Don't overthink it. There's no practical difference.
If you run gpg --verify something.tar.gz, gpg will look for something.tar.gz.sig
If you run gpg --verify something.tar.gz.sig, gpg will look for something.tar.gz
Don't overthink it. There's no practical difference.
If you run gpg --verify something.tar.gz, gpg will look for something.tar.gz.sig
If you run gpg --verify something.tar.gz.sig, gpg will look for something.tar.gz
There's no point specifying both.
that really clears it up, I was following an example where it listed both but now I know the difference, thanks!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
