How to check the signature of release software with gpg?

Question

I'm creating a docker image, and I am trying to verify my downloaded gosu.

The host I am using to build my docker images is behind a webproxy and I am asking myself if the proxy has anything to do with my problem. I know that previous versions of gpg included the option --honor-http-proxy which has no effect anymore.

I've written a bash script in order to understand the details of gpg usage in scripts. I run this script on my machine just to try things out. My hope is that after I can make it work on my local machine, I can make it work in the Dockerfile.

#!/bin/bash

set -ex

# Download
wget -O ~/dev/gosu/gosu "https://github.com/tianon/gosu/releases/download/1.10/gosu-amd64";
wget -O ~/dev/gosu/gosu.asc "https://github.com/tianon/gosu/releases/download/1.10/gosu-amd64.asc";

# verify the signature
export GNUPGHOME="$(mktemp -d)";
gpg --keyserver keyserver.ubuntu.com --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4;
gpg --batch --verify ~/dev/gosu/gosu/gosu.asc ~/dev/gosu/gosu;
rm -rf "$GNUPGHOME" ~/dev/gosu/gosu/gosu.asc;
chmod +x ~/dev/gosu/gosu;
# verify that the binary works
gosu nobody true;

At the moment running my script results in the following error:

+ gpg --batch --verify ~/dev/gosu/gosu/gosu.asc ~/dev/gosu/gosu
gpg: can't open '~/dev/gosu/gosu/gosu.asc': Not a directory
gpg: verify signatures failed: Not a directory

Answer 1

First you save the file as ~/dev/gosu/gosu.asc, but later you try to use it as ~/dev/gosu/gosu/gosu.asc. I guess it will work once you've removed the bug.