How to verify downloaded file with .sig file?
ShellCommand LineCommandSignatureVerifyShell Problem Overview
When I download GCC, it also has a .sig
file, and I think it is provided to verify downloaded file.
(I downloaded GCC from here).
But I can't figure out how should I use it. I tried gpg
, but it complains about public key.
[root@localhost src]# gpg --verify gcc-4.7.2.tar.gz.sig gcc-4.7.2.tar.gz
gpg: Signature made Thu 20 Sep 2012 07:30:44 PM KST using DSA key ID C3C45C06
gpg: Can't check signature: No public key
[root@localhost src]#
How can I verify downloaded file with .sig
file?
Shell Solutions
Solution 1 - Shell
You need to import public key: C3C45C06
Can be done in three steps.
-
find public key ID:
$ gpg gcc-4.7.2.tar.gz.sig gpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06 gpg: Can't check signature: No public key
-
import the public key from key server. It's usually not needed to choose key server, but it can be done with
--keyserver <server>
. Keyserver examples.$ gpg --recv-key C3C45C06 gpg: requesting key C3C45C06 from hkp server keys.gnupg.net gpg: key C3C45C06: public key "Jakub Jelinek <[email protected]>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1
If the command error's out with a timeout, you may be behind a firewall that is blocking the default gpg port. Try using the `--keyserver' option with port 80 (almost all firewalls allow port 80 b/c of web browsing):
$ gpg --keyserver hkp://${HOSTNAME}:80 --recv-keys ${KEY_ID}
3) verify signature:
$ gpg gcc-4.7.2.tar.gz.sig
gpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06
gpg: Good signature from "Jakub Jelinek <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29 3709 A328 C3A2 C3C4 5C06
The output should say "Good signature".
>gpg: WARNING: This key is not certified with a trusted signature!
Is for another question ;)
Solution 2 - Shell
This other avenue is particularly useful for verifying GNU projects (e.g. Octave) since the key requested by their signature may not be found in any key server.
From https://ftp.gnu.org/README
> There are also .sig files, which contain detached GPG signatures of
> the above files, automatically signed by the same script that
> generates them.
>
> You can verify the signatures for gnu project files with the keyring
> file from:
>
> https://ftp.gnu.org/gnu/gnu-keyring.gpg
>
> In a directory with the keyring file, the source file to verify and
> the signature file, the command to use is:
>
> $ gpg --verify --keyring ./gnu-keyring.gpg foo.tar.xz.sig
Solution 3 - Shell
You have to search the public keyservers for the given key id: in your case ID C3C45C06
Import the found key in your local keystore and after this the verification should be OK.
I use Ubuntu 12.04 and it comes with Seahorse key management software. Before the key import I was seeing this:
~/Downloads$ gpg --verify --keyring ./gnu-keyring.gpg icecat-31.5.0.en-US.linux-x86_64.tar.bz2.sig icecat-31.5.0.en-US.linux-x86_64.tar.bz2
gpg: Signature made 9.03.2015 (пн) 22,35,52 EET using RSA key ID D7E04784
gpg: Can't check signature: public key not found
After the key import I was seeing this:
~/Downloads$ gpg --verify --keyring ./gnu-keyring.gpg icecat-31.5.0.en-US.linux-x86_64.tar.bz2.sig icecat-31.5.0.en-US.linux-x86_64.tar.bz2
gpg: Signature made 9.03.2015 (пн) 22,35,52 EET using RSA key ID D7E04784
gpg: Good signature from "Ruben Rodriguez (GNU IceCat releases key) <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A573 69A8 BABC 2542 B5A0 368C 3C76 EED7 D7E0 4784
Solution 4 - Shell
according to this http://gcc.gnu.org/mirrors.html that should be Jakub Jelinek and valid. i don't know where you would get his public key though.