107

When I download GCC, it also has a .sig file, and I think it is provided to verify downloaded file. (I downloaded GCC from here).

But I can't figure out how should I use it. I tried gpg, but it complains about public key.

[root@localhost src]# gpg --verify gcc-4.7.2.tar.gz.sig gcc-4.7.2.tar.gz
gpg: Signature made Thu 20 Sep 2012 07:30:44 PM KST using DSA key ID C3C45C06
gpg: Can't check signature: No public key
[root@localhost src]#

How can I verify downloaded file with .sig file?

zloster
  • 1,149
  • 11
  • 26
eonil
  • 83,476
  • 81
  • 317
  • 516

4 Answers4

111

You need to import public key: C3C45C06

Can be done in three steps.

  1. find public key ID:

    $ gpg gcc-4.7.2.tar.gz.sig gpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06 gpg: Can't check signature: No public key

  2. import the public key from key server. It's usually not needed to choose key server, but it can be done with --keyserver <server>. Keyserver examples.

    $ gpg --recv-key C3C45C06 gpg: requesting key C3C45C06 from hkp server keys.gnupg.net gpg: key C3C45C06: public key "Jakub Jelinek jakub@redhat.com" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1

If the command error's out with a timeout, you may be behind a firewall that is blocking the default gpg port. Try using the `--keyserver' option with port 80 (almost all firewalls allow port 80 b/c of web browsing):

$ gpg --keyserver hkp://${HOSTNAME}:80 --recv-keys ${KEY_ID}

  1. verify signature:

    $ gpg gcc-4.7.2.tar.gz.sig gpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06 gpg: Good signature from "Jakub Jelinek jakub@redhat.com" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29 3709 A328 C3A2 C3C4 5C06

The output should say "Good signature".

gpg: WARNING: This key is not certified with a trusted signature!

Is for another question ;)

GoldDragonTSU
  • 487
  • 1
  • 9
  • 23
A.D.
  • 4,487
  • 3
  • 38
  • 50
  • 9
    Great step-by-step explanation! – Matthew Kraus Jun 30 '15 at 17:55
  • 5
    In the case that the file requiring verification is gnupg (not in the question), SHA-1 check-sums are available on the gnupg site for verifying ones first gnupg download. – 10 cls Nov 19 '16 at 17:03
  • During signature verification, gpg processes the tarball file and its corresponding .sig file as a unit. If the tarball is missing or renamed, gpg provides the opportunity to specify the tarball name. – Andrew P. Jan 13 '17 at 18:08
  • I have get an RSA key, and doesn't to work without or with `--keyserver` from that list, only one get it but it seems not trusted, its weird since I'm trying it on `GNU coreutils` that is a widely used package. – user10089632 Feb 24 '18 at 08:54
  • also, if gpg warns "no command supplied, guessing what you mean", use `gpg --verify gcc-4.7.2.tar.gz.sig` instead. – xdavidliu Oct 02 '19 at 21:32
  • So, I presume this is better than just a hash of the file - but I'm not sure how - given that "There is no indication that the signature belongs to the owner." – nycynik May 13 '20 at 06:20
31

This other avenue is particularly useful for verifying GNU projects (e.g. Octave) since the key requested by their signature may not be found in any key server.

From https://ftp.gnu.org/README

There are also .sig files, which contain detached GPG signatures of the above files, automatically signed by the same script that generates them.

You can verify the signatures for gnu project files with the keyring file from:

https://ftp.gnu.org/gnu/gnu-keyring.gpg

In a directory with the keyring file, the source file to verify and the signature file, the command to use is:

$ gpg --verify --keyring ./gnu-keyring.gpg foo.tar.xz.sig

djvg
  • 11,722
  • 5
  • 72
  • 103
tay10r
  • 4,234
  • 2
  • 24
  • 44
  • 4
    But if we are talking about security then it is better to use HTTPS connection: [https://ftp.gnu.org/gnu/gnu-keyring.gpg](https://ftp.gnu.org/gnu/gnu-keyring.gpg) – Maxim Mar 11 '17 at 18:05
  • 6
    Funny, I'm here explicitly to figure how to validate Octave! :) – Ron Jensen Feb 08 '19 at 22:09
  • 2
    Thanks. I couldn't find the Bash maintainer's key in any key server but this was what I needed to verify the signature for its source code. – Anthony Geoghegan Feb 27 '19 at 22:27
  • 2
    For octave see the answer about gpg4win app here: https://superuser.com/questions/1268544/how-to-verify-a-download-file-using-a-sig-file-and-public-key-in-windows-10 – Martin Jun 02 '19 at 00:30
2

You have to search the public keyservers for the given key id: in your case ID C3C45C06 Import the found key in your local keystore and after this the verification should be OK. I use Ubuntu 12.04 and it comes with Seahorse key management software. Before the key import I was seeing this:

~/Downloads$ gpg --verify --keyring ./gnu-keyring.gpg icecat-31.5.0.en-US.linux-x86_64.tar.bz2.sig icecat-31.5.0.en-US.linux-x86_64.tar.bz2
gpg: Signature made  9.03.2015 (пн) 22,35,52 EET using RSA key ID D7E04784
gpg: Can't check signature: public key not found

After the key import I was seeing this:

~/Downloads$ gpg --verify --keyring ./gnu-keyring.gpg icecat-31.5.0.en-US.linux-x86_64.tar.bz2.sig icecat-31.5.0.en-US.linux-x86_64.tar.bz2
gpg: Signature made  9.03.2015 (пн) 22,35,52 EET using RSA key ID D7E04784
gpg: Good signature from "Ruben Rodriguez (GNU IceCat releases key) <ruben@gnu.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A573 69A8 BABC 2542 B5A0  368C 3C76 EED7 D7E0 4784
Andrew P.
  • 161
  • 9
zloster
  • 1,149
  • 11
  • 26
  • 1
    Opened a question about this warning at https://superuser.com/questions/1616531/gpg4win-signature-validation-how-to-fix-warning-this-key-is-not-certified-wit – questionto42 Jan 10 '21 at 23:49
-2

according to this http://gcc.gnu.org/mirrors.html that should be Jakub Jelinek and valid. i don't know where you would get his public key though.

user1794469
  • 228
  • 4
  • 17