TransWikia.com

Trying to verify file integrity with GnuPG. "BAD signature" all the time

Unix & Linux Asked by Emwdmkqowdkmqwomkd on October 31, 2021

I’m completely new to GnuPGP and I’m trying to test it.

Basically, what I’ve done is downloaded the Linux Mint key (ID 0FF405B2) from pgp.mit.edu.

gpg --keyserver pgp.mit.edu --recv-keys 0FF405B2

I’ve verified that it’s in my keychain, from Clement Lefebvre.

After that was done, I download the PGP block from a Linux Mint mirror. (http://mirror.csclub.uwaterloo.ca/linuxmint/stable/17.3/sha256sum.txt.gpg)

I essentially copied and pasted it and saved it as lmgpg.sig. I’ve also tried lmgpg.gpg and lmgpg.txt.gpg and even just wget‘d it.

After that, I saved one of the hashes:

854d0cfaa9139a898c2a22aa505b919ddde34f93b04a831b3f030ffe4e25a8e3  linuxmint-17.3-cinnamon-64bit.iso

as lmsum.txt.

So, when all that’s done with, I try to verify the file with the hash in it and even the ISO itself. With both, I get:

gpg --verify lmgpg.sig lmsum.txt 
gpg: Signature made Wed 06 Jan 2016 08:06:20 AM PST using DSA key ID 0FF405B2
gpg: BAD signature from "Clement Lefebvre (Linux Mint Package Repository v1) <[email protected]>"

This also happens when I repeat the above operations with files from a Debian stable mirror.

Please, what on Earth am I doing wrong?

gpglinux mint

One Answer

The various checksum and signature files allow you to verify the files you downloaded, not files you re-create yourself. So you download the ISO image and the verification files

wget http://mirror.csclub.uwaterloo.ca/linuxmint/stable/17.3/linuxmint-17.3-cinnamon-64bit.iso
wget http://mirror.csclub.uwaterloo.ca/linuxmint/stable/17.3/sha256sum.txt{.gpg,}

and pull the GPG key into your keychain as you did, then verify the files:

sha256sum -c sha256sum.txt

which complains about missing files, but verifies the ISO you downloaded, and

gpg --verify sha256sum.txt.gpg sha256sum.txt

which should tell you that the signature is good. The signature is only valid for the exact file which was signed; you can't create part of it using sha256sum and have it verify that.

The whole point of this exercise is to verify that the ISO is correct, according to sha256sum, and that the SHA-256 checksum is itself correct, according to the GnuPG signature; crucially the last part relies on Clement Lefebvre's Linux Mint key which you downloaded separately from a different source.

Answered by Stephen Kitt on October 31, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP