Sto cercando di seguire le istruzioni per verificare un file scaricato qui:
Get a local copy of the signing key
You will need to know the key id of the key you want to confirm. If you are using ASDF-Install, ASDF-Install will complain about an unknown key, and tell you the ID. Otherwise, download both the tarball and the signature file, and pass the signature file to GnuPG:
gpg cl-yacc-0.2.tar.gz.asc GnuPG will complain about an unknown key, and tell you the ID. At that point, do gpg --recv id to download a local copy of the key.
Sto cercando di verificare il file scaricato:
libevent-2.0.22-stable.tar.gz
E ho questo file di firma:
libevent-2.0.22-stable.tar.gz.asc
Seguendo i passaggi precedenti, questo è quello che ho ottenuto:
~/Downloads$ gpg libevent-2.0.22-stable.tar.gz.asc
gpg: assuming signed data in 'libevent-2.0.22-stable.tar.gz'
gpg: Signature made Mon Jan 5 08:16:20 2015 MST using RSA key ID 8D29319A
gpg: Good signature from "Nick Mathewson <[email protected]>" [unknown]
gpg: aka "Nick Mathewson <[email protected]>" [unknown]
gpg: aka "Nick Mathewson <[email protected]>" [unknown]
gpg: aka "[jpeg image of size 3369]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B35B F85B F194 89D0 4E28 C33C 2119 4EBB 1657 33EA
Subkey fingerprint: EF00 F369 1387 FCC5 8CD6 8E13 9103 97D8 8D29 319A
~/Downloads$ gpg --recv 8D29319A
gpg: requesting key 8D29319A from hkps server hkps.pool.sks-keyservers.net
gpg: key 165733EA: "Nick Mathewson <[email protected]>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
Successivamente, dice:
Confirm the key from an independent source
You now need to confirm the key from an independent source i.e. neither the signature file nor the keyserver.
Find out more about the key
Armed with the ID of the key you are interested in, check the key on on your favourite keyserver interface (choose “verbose index”). You will find all the uids (e-mail addresses) of the person who signed the key, as well as the people who have signed that key.
Per quanto posso dire, la frase armata con l'ID della chiave a cui sei interessato si riferisce a: 8D29319A
. In ogni caso, ho provato ad inserire tutti i numeri, le impronte digitali e la chiave pubblica blindata ascii nell'interfaccia di keyserver collegata, e ho ottenuto solo un'eccezione dopo l'eccezione.
Che cosa sto sbagliando?
$ gpg --version
gpg (GnuPG/MacGPG2) 2.0.28
libgcrypt 1.6.3
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA, RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
$