Would someone give me an example of how to verify the integrity of the tarball against a pgp key? Thanks, Jerome
Would someone give me an example of how to verify the integrity of the tarball against a pgp key? Assuming you have already imported the public key: gpg --verify signaturefile tarball
Import the public key through a GUI with something like KGPG(part of the kdeutils3 package) or on the command line with gpg --import publickey There are more GUI frontends listed at: www.gnupg.org/(en)/related_software/frontends.html
On Sunday 22 January 2006 12:32, rmyster wrote:
Would someone give me an example of how to verify the integrity of the tarball against a pgp key?
Assuming you have already imported the public key: gpg --verify signaturefile tarball
@linux:~/bin> gpg --verify pgadmin3-1.4.1.tar.gz.sig gpg: Signature made Sat 10 Dec 2005 04:47:04 AM HST using DSA key ID 1A19643B gpg: Can't check signature: public key not found @linux:~/bin> gpg --verify pgadmin3-1.4.1.tar.gz.sig pgadmin3-1.4.1.tar.gz gpg: Signature made Sat 10 Dec 2005 04:47:04 AM HST using DSA key ID 1A19643B gpg: Can't check signature: public key not found
Import the public key through a GUI with something like KGPG(part of the kdeutils3 package) or on the command line with gpg --import publickey
@linux:~/bin> gpg --import pgadmin3-1.4.1.tar.gz.sig gpg: Total number processed: 0 I'm assuming pgadmin3-1.4.1.tar.gz.sig is the signed public key. This is confusing. If pgadmin3-1.4.1.tar.gz.sig is not the public key then why isn't the public key in the same directory as pgadmin3-1.4.1.tar.gz.sig and pgadmin3-1.4.1.tar.gz? If pgadmin3-1.4.1.tar.gz.sig is not the public key then what is it? Is there a standard way to find/recognize the public key? What am I doing/got wrong? Jerome ps The online documentation doesn't help much. In general, in their explanations they don't define enough terms. And they don't give enough concrete examples. Most of the time it seems you have to already know the answer to understand the answer. For example, from http://webber.dewinter.com/gnupg_howto/english/GPGMiniHowto-3.html#ss3.3: 3.6 KEY SIGNING Using the gpg --edit-key UID command for the key that needs to be signed you can sign it with the sign command It sounds like gpg --edit-key UID and sign are different commands. If so it is not clear how they are to be used together. A nice concrete example would be usefull here. 3.3 IMPORTING KEYS gpg --import [Filename] Here a set of examples showing the different forms Filename could take would be useful. For example: gpg --import pgadmin3-1.4.1.tar.gz.sig Or this: There is one more important command that is relevant for working with keys. gpg --edit-key UID Using this you can edit (among other things) the expiration date, add a fingerprint and sing your key. Although it is too logic to mention. For this you need your passphrase. When entering this you will see a command line. What does this even mean?? and last but not least: 1.2 DIGITAL SIGNATURES In order to prove that a message was really sent by the alleged sender the concept of Digital Signatures was invented. As the name says a message is digitally signed by the sender. By using this signature you can check the authenticity of a message. Using this will reduce the risk for Trojan horses (a message that claims to be a patch to a certain problem but actually contains a virus or does something bad with data on your computer). Also information or data can be verified as coming from a legitimate source and thus be regarded as real. A digital signature is made through a combination of the secret key and the text. Using the senders public key the message can be verified. Not only will be checked if the correct sender is involved, also the content will be checked. So you know that the message comes from the sender and has not been changed during the transportation process. This is all very well in theory but it doesn't tell me what I need to know: how to use digital signatures to verify the package I want to verify. And this is a howto! One could reasonably expect to be told how to in a howto. Maybe someone should start a blog of 'concrete examples' . And finally. I know verifying software is import and I should learn how to do it. But,all this is a diversion from what I want to do, which is get pgadmin3-1.4.1 up and running. Everthing goes well until 'make' says it can't find some files and quits with an error message. I join the pgadmin list and describe my problem. A resident guru says he's checked and the missing files are there, I must have a corrupted copy and did I verify my copy against his signature? So here I am once again climbing another learning curve when what I really want to be doing is climbing the learning curve of pgadmin3. OK, I'm done.
There are more GUI frontends listed at: www.gnupg.org/(en)/related_software/frontends.html
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2006-01-23 at 00:11 -1000, Susemail wrote:
@linux:~/bin> gpg --import pgadmin3-1.4.1.tar.gz.sig gpg: Total number processed: 0
I'm assuming pgadmin3-1.4.1.tar.gz.sig is the signed public key.
This is confusing.
If pgadmin3-1.4.1.tar.gz.sig is not the public key then why isn't the public key in the same directory as pgadmin3-1.4.1.tar.gz.sig and pgadmin3-1.4.1.tar.gz? If pgadmin3-1.4.1.tar.gz.sig is not the public key then what is it? Is there a standard way to find/recognize the public key?
The public key would never be in the same place as the package or file or whatever you want to check. That .sig should be the separate signature of the the file: you feed both the file and the .sig to pgp, and it says if the file is intact, authentic, or not - provided you already have the public key. Where is the public key? I don't know, I haven't looked. It could be obtained from a public key server, for example (like mine). It could be published on a web page. Or you could interchange it in person - that's the best way, and the only one by which you can certify that it is really his, and sign the key (web of trust). - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFD1M6AtTMYHG2NR9URAjlOAJ9ovjXfNEDQlOQHbO9w40cFjzGHswCcDufH lK/qe0WP+l0YZolnWUeBWqE= =NIDK -----END PGP SIGNATURE-----
I'm assuming pgadmin3-1.4.1.tar.gz.sig is the signed public key.
No, pgadmin3-1.4.1.tar.gz.sig is the package signature, not the public key.
If pgadmin3-1.4.1.tar.gz.sig is not the public key then why isn't the public key in the same directory as pgadmin3-1.4.1.tar.gz.sig and pgadmin3-1.4.1.tar.gz? If pgadmin3-1.4.1.tar.gz.sig is not the public key then what is it? Is there a standard way to find/recognize the public key?
What am I doing/got wrong?
You are trying to import the package signature instead of the signer's public key. Often the signer has a link to the public key on the home website. If not, the public key can be downloaded from one of the key servers by doing a search on the key id which in this case would be DSA key ID 1A19643B or the email address (dpage@pgadmin.org). I did a search on "public key" at the package home page and the info was contained in the first choice that came up. http://www.pgadmin.org/pgp/davepage.pgp
participants (3)
-
Carlos E. R.
-
rmyster
-
Susemail