having trouble checking the signature of a downloaded file
Kristian Fiskerstrand
kristian.fiskerstrand at sumptuouscapital.com
Wed Feb 21 10:48:12 CET 2018
On 02/21/2018 10:37 AM, Henry wrote:
> I downloaded a tarball ***6.4.tar.gz, it's signature file
> ***6.4.tar.gz.sig, and the author's public key ******.pgp from a
> well-known site.
>
> I imported the public key: `gpg --import ******.pgp`.
> For some reason, two keys were "skipped":
> gpg: key 0C0B590E80CA15A7: 2 signatures not checked due to missing keys
> gpg: key 0C0B590E80CA15A7: "Author's Name <author at xxxxxx.org>
> gpg: Total number processed: 3
> gpg: skipped PGP-2 keys: 2
^^^^^^^^^^^^^^^^^^^^^
note this and see below
> gpg: unchanged: 1
>
> I tried to verify the downloaded file, but the check failed:
> `gpg --verify ***6.4.tar.gz.sig ***6.4.tar.gz`
> gpg: Signature made Tue May 4 23:03:11 2004 JST
> gpg: using RSA key DC80F2A6D5327CB9
> gpg: Can't check signature: No public key
>
The above RSA key is in v3 format which is not supported in GnuPG >=2.1
for security reasons, hence not imported, and hence the output you see.
> This is the first time for this to happen, so I have no idea what I
> might be doing
> wrong. Any help or suggestions much appreciated. TIA
The author should sign the package using a more modern and secure keyblock.
--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Aut disce aut discede
Either learn or leave
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180221/ff820143/attachment.sig>
More information about the Gnupg-users
mailing list