7

I have to download a program with a PGP signature and a signing key (Public Key)

How do I check the program with signing key?

schroeder
  • 129,372
  • 55
  • 299
  • 340
567hz
  • 73
  • 1
  • 1
  • 6

2 Answers2

9

Assuming you have GPG installed:

gpg --import signing_key.pub
gpg --verify signed_file.sig

Where signing_key.pub is the public key, and signed_file.sig is the detached signature for the file (in the same directory as the signed file).

David
  • 16,074
  • 3
  • 51
  • 74
  • first thanks for you answer! , i have to do as you to say . and i come; gpg key: key ........... gpg sig: RSA.................... but i not understand how working together..........every one have different cipher.... how know the program i dowloaded is it .....so , i have download the Tcpdum from here http://www.tcpdump.org/#latest-release and i will know if it is the genuine Tcpdump.... – 567hz Mar 07 '18 at 17:22
  • so how i have understand... with signing_key , i come : E089DEF1D9C15D0D with signed_key : 1F166A5742ABB9E0249A8D30 is here the RSA key? E089DEF1D9C15D0D und here is my signing_key! . Together the RSA key: 1F166A5742ABB9E0249A8D30E089DEF1D9C15D0D – 567hz Mar 07 '18 at 17:38
  • For verifying the File's Signature : gpg --verify tcpdump-4.9.2.tar.gz.sig tcpdump-4.9.2.tar.gz https://gnupg.org/download/integrity_check.html – 567hz Mar 08 '18 at 13:29
0

When only an .asc PGP signature is given

A first attempt to verify the .tar.xz fails, but is nonetheless useful to obtain the RSA key identifier.

$ gpg --verify tor-browser-linux64-9.0.4_en-US.tar.xz.asc

gpg: assuming signed data in 'tor-browser-linux64-9.0.4_en-US.tar.xz'
gpg: Signature made Thu 09 Jan 2020 21:09:44 CET
gpg:                using RSA key EB774491D9FF06E2
gpg: Can't check signature: No public key

Now, use the mentioned RSA key identifier to import the missing public key from a key server.

$ gpg --keyserver pgpkeys.mit.edu --recv-key EB774491D9FF06E2

gpg: key 4E2C6E8793298290: 70 duplicate signatures removed
gpg: key 4E2C6E8793298290: 21229 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: 2 signatures reordered
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <torbrowser@torproject.org>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   0  trust: 0-, 0q, 0n, 1m, 0f, 0u
gpg: next trustdb check due at 2021-12-08
gpg: Total number processed: 1
gpg:               imported: 1

The second verification attempt now succeeds.

$ gpg --verify tor-browser-linux64-9.0.4_en-US.tar.xz.asc

gpg: assuming signed data in 'tor-browser-linux64-9.0.4_en-US.tar.xz'
gpg: Signature made Thu 09 Jan 2020 21:09:44 CET
gpg:                using RSA key EB774491D9FF06E2
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
     Subkey fingerprint: 1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2

If that didn't work you can fetch the public key and import it into gpg.

curl -s https://openpgpkey.torproject.org/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf |gpg --import -

and then verify the file.

 gpg --verify tor-browser-linux64-9.0.10_en-US.tar.xz.asc
Community
  • 1
Serge Stroobandt
  • 111
  • 1
  • 6