On Fri, Feb 27, 2015, at 02:24 PM, Nicolas Vigier wrote: > On Fri, 27 Feb 2015, andr...@fastmail.fm wrote: > > > > > > > On Thu, Feb 26, 2015, at 05:55 PM, Simon Nicolussi wrote: > > > andr...@fastmail.fm wrote: > > > > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc > > > > > > > > > > Note that calling gpg --verify with a detached signature as its only > > > argument is insecure (later versions of GnuPG should emit a warning). > > > See my message to Gnupg-users and subsequent responses for details: > > > http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051333.html > > > > > > > I could read those responses until the end of time and wouldn't > > understand anything. > > > > Could you tell me what I'm supposed to enter in Terminal to get a > > response that indicates a good file or a bad file? > > > > Here's what I entered (2 separate ways); > > > > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc > > tor-browser-linux32-4.0.4_en-US.tar.xz.asc > > > > gpg: Signature made Wed 25 Feb 2015 02:54:55 AM EST using RSA key ID > > F65C2036 > > gpg: BAD signature from "Tor Browser Developers (signing key) > > <torbrow...@torproject.org>" > > > > > > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc > > tor-browser-linux32-4.0.4_en-US.tar.xz > > The good one is the second one: giving the signature file as first > argument, and the file to be checked as second argument. > > The problem with giving only one argument is that if the .asc file > contains some text with an in-line signature (rather than what people > would expected: a detached signature for the .tar.xz file), then gpg > will only verify this inline signature and ignore the .tar.xz file. > And the output only tells you that there is a good signature, so you > can't see that the .tar.xz file was not checked. > > Example: > > $ echo 'some text' > some_file.txt > $ gpg --clearsign some_file.txt > $ mv some_file.txt.asc tor-browser-linux32-4.0.4_en-US.tar.xz.asc > > Now the gpg command tells us the signature is good, although it has > nothing to do with tor-browser-linux32-4.0.4_en-US.tar.xz: > > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc > gpg: Signature made Fri 27 Feb 2015 02:09:25 PM CET > gpg: using RSA key 2067001B1B678A63 > gpg: Good signature from "Nicolas Vigier (boklm) > <bo...@mars-attacks.org>" > gpg: aka "Nicolas Vigier (boklm) <bo...@torproject.org>" > > But with 2 arguments it tells us something is wrong: > > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc > tor-browser-linux32-4.0.4_en-US.tar.xz > gpg: not a detached signature
When run in Terminal this is what happens; $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc tor-browser-linux32-4.0.4_en-US.tar.xz gpg: Signature made Wed 25 Feb 2015 02:54:55 AM EST using RSA key ID F65C2036 gpg: BAD signature from "Tor Browser Developers (signing key) <torbrow...@torproject.org>" I have no idea what all of this means but when I see something that says "BAD signature" that tells me something is wrong. Is the tar.xz file bad and suspect? What must be done to fix this? > > -- > tor-talk mailing list - tor-talk@lists.torproject.org > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > Email had 1 attachment: > + Attachment1.2 > 1k (application/pgp-signature) -- http://www.fastmail.com - Send your email first class -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
