How to verify downloaded file with .sig file?

eonil picture eonil · Mar 11, 2013 · Viewed 46.3k times · Source

When I download GCC, it also has a .sig file, and I think it is provided to verify downloaded file. (I downloaded GCC from here).

But I can't figure out how should I use it. I tried gpg, but it complains about public key.

[root@localhost src]# gpg --verify gcc-4.7.2.tar.gz.sig gcc-4.7.2.tar.gz
gpg: Signature made Thu 20 Sep 2012 07:30:44 PM KST using DSA key ID C3C45C06
gpg: Can't check signature: No public key
[root@localhost src]# 

How can I verify downloaded file with .sig file?

Answer

A.D. picture A.D. · Apr 19, 2015

You need to import public key: C3C45C06

Can be done in three steps.

  1. find public key ID:

    $ gpg gcc-4.7.2.tar.gz.sig gpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06 gpg: Can't check signature: No public key

  2. import the public key from key server. It's usually not needed to choose key server, but it can be done with --keyserver <server>. Keyserver examples.

    $ gpg --recv-key C3C45C06 gpg: requesting key C3C45C06 from hkp server keys.gnupg.net gpg: key C3C45C06: public key "Jakub Jelinek [email protected]" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1

If the command error's out with a timeout, you may be behind a firewall that is blocking the default gpg port. Try using the `--keyserver' option with port 80 (almost all firewalls allow port 80 b/c of web browsing):

$ gpg --keyserver hkp://${HOSTNAME}:80 --recv-keys ${KEY_ID}
  1. verify signature:

    $ gpg gcc-4.7.2.tar.gz.sig gpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06 gpg: Good signature from "Jakub Jelinek [email protected]" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29 3709 A328 C3A2 C3C4 5C06

The output should say "Good signature".


gpg: WARNING: This key is not certified with a trusted signature!

Is for another question ;)