CODEWITHSUNDEEP
signaturegnupg
Nisba
Nisba

Reputation: 3438

Can't verify pgp signature

I downloaded rsync 3.1.3 from the official website and the relative signature but I am not able to verify the signature.

This does not work

$ gpg --verify signature.sig rsync.tar.gz 
gpg: unknown armor header:  Version: GnuPG v1
gpg: Signature made Sun Jan 28 23:57:59 2018 UTC using DSA key ID 4B96A8C5
gpg: Can't check signature: public key not found

I looked at this link and so I tried these commands, not working:

$ gpg --output rsync.tar.gz --decrypt signature.sig 
gpg: unknown armor header:  Version: GnuPG v1
Detached signature.
Please enter name of data file: rsync.tar.gz 
gpg: Signature made Sun Jan 28 23:57:59 2018 UTC using DSA key ID 4B96A8C5
gpg: Can't check signature: public key not found

$ gpg --output rsync.tar.gz --verify signature.sig 
gpg: unknown armor header:  Version: GnuPG v1
gpg: no signed data
gpg: can't hash datafile: file open error

What should I do?

Upvotes: 0

Views: 6888

Answers (1)

Ben
Ben

Reputation: 4331

The problem here is you've renamed the file of the detached signatures, the original detached signature is named the same as the file with an additional extension.

bash-4.4$ ls -l rsync-3.1.3.tar.gz*
-rw-r--r--  1 ben  wheel  905908 29 Jan 10:54 rsync-3.1.3.tar.gz
-rw-r--r--  1 ben  wheel     181 29 Jan 10:58 rsync-3.1.3.tar.gz.asc
bash-4.4$ gpg --verify rsync-3.1.3.tar.gz.asc 
gpg: assuming signed data in 'rsync-3.1.3.tar.gz'
gpg: Signature made Mon 29 Jan 10:57:59 2018 AEDT
gpg:                using DSA key 0x6C859FB14B96A8C5
gpg: Good signature from "Wayne Davison <[email protected]>" [unknown]
gpg:                 aka "Wayne Davison <[email protected]>" [unknown]
gpg: [email protected]: Verified 1 signature in the past 13 seconds.  Encrypted
     0 messages.
gpg: [email protected]: Verified 1 signature in the past 13 seconds.
     Encrypted 0 messages.
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0048 C8B0 26D4 C96F 0E58  9C2F 6C85 9FB1 4B96 A8C5
bash-4.4$

When retaining the correct filename and running the verify command on that, GPG correctly determines the name of the signed file and checks the signature against it.

Upvotes: 1

Related Questions