Unix & Linux Asked by Emwdmkqowdkmqwomkd on October 31, 2021
I’m completely new to GnuPGP and I’m trying to test it.
Basically, what I’ve done is downloaded the Linux Mint key (ID 0FF405B2
) from pgp.mit.edu
.
gpg --keyserver pgp.mit.edu --recv-keys 0FF405B2
I’ve verified that it’s in my keychain, from Clement Lefebvre.
After that was done, I download the PGP block from a Linux Mint mirror. (http://mirror.csclub.uwaterloo.ca/linuxmint/stable/17.3/sha256sum.txt.gpg)
I essentially copied and pasted it and saved it as lmgpg.sig
. I’ve also tried lmgpg.gpg
and lmgpg.txt.gpg
and even just wget
‘d it.
After that, I saved one of the hashes:
854d0cfaa9139a898c2a22aa505b919ddde34f93b04a831b3f030ffe4e25a8e3 linuxmint-17.3-cinnamon-64bit.iso
as lmsum.txt
.
So, when all that’s done with, I try to verify the file with the hash in it and even the ISO itself. With both, I get:
gpg --verify lmgpg.sig lmsum.txt
gpg: Signature made Wed 06 Jan 2016 08:06:20 AM PST using DSA key ID 0FF405B2
gpg: BAD signature from "Clement Lefebvre (Linux Mint Package Repository v1) <[email protected]>"
This also happens when I repeat the above operations with files from a Debian stable mirror.
Please, what on Earth am I doing wrong?
The various checksum and signature files allow you to verify the files you downloaded, not files you re-create yourself. So you download the ISO image and the verification files
wget http://mirror.csclub.uwaterloo.ca/linuxmint/stable/17.3/linuxmint-17.3-cinnamon-64bit.iso
wget http://mirror.csclub.uwaterloo.ca/linuxmint/stable/17.3/sha256sum.txt{.gpg,}
and pull the GPG key into your keychain as you did, then verify the files:
sha256sum -c sha256sum.txt
which complains about missing files, but verifies the ISO you downloaded, and
gpg --verify sha256sum.txt.gpg sha256sum.txt
which should tell you that the signature is good. The signature is only valid for the exact file which was signed; you can't create part of it using sha256sum
and have it verify that.
The whole point of this exercise is to verify that the ISO is correct, according to sha256sum
, and that the SHA-256 checksum is itself correct, according to the GnuPG signature; crucially the last part relies on Clement Lefebvre's Linux Mint key which you downloaded separately from a different source.
Answered by Stephen Kitt on October 31, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP