Re: Need help with PGP signature verification

Sun, 08 Oct 2023 04:05:27 -0700 

On Oct 08, 2023, Tom Browder wrote:
> On Sun, Oct 8, 2023 at 3:29 AM DdB
> <debianl...@potentially-spam.de-bruyn.de> wrote:
> > Am 08.10.2023 um 01:16 schrieb Tom Browder:
> > > I'm willing to trust published PGP key fingerprints for signers of
> > > Rakudo downloadable files.
> > > Question:  How can I get the fingerprint from the downloads?
> > There is more than just one way to archieve this, first result from
> 
> I should have been more specific. I have the following:
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iHUEABYKAB0WIQTdpb2j9c3OmfntVsEsxulzgY84awUCZQ1GBgAKCRAsxulzgY84
> a+jhAQCZ0lLh1EnB1AwrgW0zPBp801OOeJ2QUiDBOGXBbrl/7QD/ZQe738sF2tCR
> 43SAvJOfT3b4YpGdfSUj9F7XNDoovQM=
> =mNqK
> -----END PGP SIGNATURE-----
> 
> I need the fingerprint from that to compare with the fingerprints I
> know from Github to see if it's from the same key.

No, you just need the key(s) from the developer(s).  Assuming you've not
accidentally tampered with the files, you'll be able to verify this
signature with a command like "gpg --verify shasum.txt.gpg shasum.txt".

You'll get a message to the effect of 

  Signature made [some-date-here]
      using RSA Key [fingerprint-here]
  Good signature from "Some Person's GPG Key Name"

NOTE -- you MAY also receive some lines to the effect of 

  WARNING: This key is not trusted, the authenticity of the signature
      cannot be verified.

As with checking a Debian ISO (or other Linux distro that uses this
style of verification), this is nothing to be worried about, it's just
GPG informing you that it doesn't have any information as to whether you
actually "trust" the key (either through you explicitly signing /
trusting the key, or trust being derived through the GPG Web of Trust).
It's roughly the GPG equivalent of a web browser going "WARNING - Self
Signed Certificate".


Anyway, once you're done with this; then you know the sha256 checksum
file is the one the developers intended you to get; and you can use it
to check the *iso file.  Probably something like "sha256sum
--ignore-missing -c sha256sum.txt"

HTH :)

-- 
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860

Attachment: signature.asc
Description: PGP signature

Reply via email to