David Durham wrote: > Hello, > > I am trying to verify the download of a gcc-4.1.0.tar.bz2 file. I also > downloaded the corresponding gcc-4.1.0.tar.bz2.sig file. I have tried > gpg --verify gcc-4.1.0.tar.bz2.sig gcc-4.1.0.tar.bz2, but it says "can't > check signature, public key not found." Does this mean the file has been > verified, but just not the signature? The file at > ftp.gnu.org/MISSING-FILES.README says that all releases after 8-1-2003 > will be signed by the gpg maintainer who prepared the release. Does this > mean I need to get the public keys of each maintainer for each software > release I download? If so, could you please tell me how and where to get > the appropriate public keys?
Yep, you need the public key(s). From looking at the sig file it was signed by Mark Mitchell <[email protected]> 0xB75C61B8 You may fetch the key beforehand (if you know the ID): $ gpg --keyserver yogi --recv-key 0xB75C61B8 or add the appropriate options to the gpg command line: $ gpg --keyserver yogi --keyserver-options auto-key-retrieve \ --verify gcc-4.1.0.tar.bz2.sig gcc-4.1.0.tar.bz2 gpg: Signature made 02/28/06 12:57:12 using DSA key ID B75C61B8 gpg: requesting key B75C61B8 from hkp server yogi gpg: key B75C61B8: public key "Mark Mitchell <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: please do a --check-trustdb gpg: Good signature from "Mark Mitchell <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B3C4 2148 A44E 6983 B3E4 CC07 93FA 9B1A B75C 61B8 You'd need to change the keyserver to something publicly accessible such as pool.sks-keyservers.net. I would have thought there'd be an easily found keyring for gcc distros. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:[email protected]?subject=help Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels"
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
