[PLUG] Checking File Integrity with PGP Signature
alan
alan at clueserver.org
Mon Jan 22 23:36:50 UTC 2007
On Mon, 22 Jan 2007, Rich Shepard wrote:
> On Wed, 17 Jan 2007, Alan Olsen wrote:
>
>> I assume you mean a gpg detached signature.
>>
>> gpg --verify detached.sig
>
> Alan,
>
> I'm really dense today. I have two files: scribus-1.3.3.7.tar.bz2 and
> scribus-1.3.3.7.tar.bz2.sig. The latter contains:
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
>
> iD8DBQBFo+8V73uV5/YBZtoRAmskAJ9AX+AAVvtl/Tq7G5396hVojsuP9wCfUnZh
> PyIO5+OM3pLysiKKabNJ77c=
> =xz3n
> -----END PGP SIGNATURE-----
>
> Then, when I use your syntax above I get
>
> [rshepard at salmo /opt]$ gpg --verify scribus-1.3.3.7.tar.bz2.sig gpg:
> Signature made Tue 09 Jan 2007 11:37:57 AM PST using DSA key ID
> F60166DA
> gpg: Can't check signature: public key not found
>
> So, is there a way to determine if the file's been changed? Or, is the
> addition of the signature just for show?
The key for the file is not in your keyring. You need to edit the
.gnupg/gpg.conf file and uncomment the line with "keyserver-options
auto-key-retrieve". GPG is not able to automatically retrieve the keys.
--
"Invoking the supernatural can explain anything, and hence explains nothing."
- University of Utah bioengineering professor Gregory Clark
More information about the PLUG
mailing list