On Thu, Feb 26, 2015, at 05:55 PM, Simon Nicolussi wrote:
> andr...@fastmail.fm wrote:
> > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc
>
> Note that calling gpg --verify with a detached signature as its only
> argument is insecure (later versions of GnuPG should emit a warning).
> See my message to Gnupg-users and subsequent responses for details:
> http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051333.html
>
I could read those responses until the end of time and wouldn't
understand anything.
Could you tell me what I'm supposed to enter in Terminal to get a
response that indicates a good file or a bad file?
Here's what I entered (2 separate ways);
$ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc
tor-browser-linux32-4.0.4_en-US.tar.xz.asc
gpg: Signature made Wed 25 Feb 2015 02:54:55 AM EST using RSA key ID
F65C2036
gpg: BAD signature from "Tor Browser Developers (signing key)
<torbrow...@torproject.org>"
$ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc
tor-browser-linux32-4.0.4_en-US.tar.xz
gpg: Signature made Wed 25 Feb 2015 02:54:55 AM EST using RSA key ID
F65C2036
gpg: Good signature from "Tor Browser Developers (signing key)
<torbrow...@torproject.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329
8290
Subkey fingerprint: 5242 013F 02AF C851 B1C7 36B8 7017 ADCE F65C
2036
> --
> Simon Nicolussi <si...@sinic.name>
> http{s,}://{www.,}sinic.name/
> Email had 1 attachment:
> + Attachment2
> 1k (application/pgp-signature)
--
http://www.fastmail.com - A no graphics, no pop-ups email service
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
