Am Mittwoch, 22. Februar 2012, 10:15:50 schrieb Marco Dorigo: > I followed the howto on truecrypt > (http://www.truecrypt.org/docs/?s=digital-signatures)
That description contains an "error". And you misunderstood something: "Sign the imported key with your private key to mark it as trusted". "To" mark ist trusted, not "and" mark it trusted. The trust you have set is something completely different (regarding the web of trust). The "error" is: "If you skip this step and attempt to verify any of our PGP signatures, you will receive an error message stating that the signing key is invalid." The error message just tells you that this key is not considered valid yet. It does tell you that the signature has been made by that key. And that's all you need. It usually does not make much sense to sign a key which you have not checked. My advice: Either delete the signature or use the signing key for "worthless" signatures only (and in a way that makes sure you are not confused). > Because when I'm trying to verify it > gpg --verify truecrypt-7.1a-linux-x64.tar.gz.sig > truecrypt-7.1a-linux-x64.tar.gz it just says: > gpg: verify signatures failed: eof I guess that the signature file is broken. Download it again. If the signed file were broken then the error message should say that the signature is wrong. What is the size of the signature file and what is the type of the signing key? I assume that if the signature file is incomplete then somebody here can tell already by the length. We need the output of gpg --list-keys (for the TrueCrypt key only) Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
