Re: [OTR-users] Problem with signature file?

Thu, 13 Feb 2014 09:24:14 -0800 

Thanks Felix, I realized I had said "encrypt" instead of "sign" after I
sent it. My bad.

The key for me was figuring out I need to retrieve the key from a
keyserver instead of trying to import the ASC signature file directly
into GPG.

I'm all good now, and a bit more educated. ;-)

Thanks all!

Andy

On 02/13/2014 10:53 AM, Felix Eckhofer wrote:
> Andy,
> 
> I think you are confusing "key" and "signature".
> 
> Am 13.02.2014 17:07, schrieb Andy Roberson:
>> I am not able to import the key from
>> https://otr.cypherpunks.ca/pidgin-otr-4.0.0.tar.gz.asc onto my keyring,
> 
> pidgin-otr-4.0.0.tar.gz.asc is not a key, it is a signature for the
> tarball, created with the "OTR Dev Team" key.
> 
>> so the gpg --verify command isn't working for me yet. I was able to
>> identify the signature used to encrypt the file, and import that one.
>> But I presume that really isn't verifying anything other than the fact
>> the file is properly signed by "someone".
> 
> So you have imported the key used to *sign* (not encrypt) the file.
> Unless you verify that this key used to create the signature is in some
> way "trusted" you are indeed not going to get more than "it is signed by
> someone". This is what the web of trust is meant to achieve (although it
> is not really helpful in this case). Asking in this mailing list might
> be one way to increase your trust that the key is indeed the correct
> one. For the record: When I download pidgin-otr-4.0.0.tar.gz, it is
> signed by
> 
> : pub   1024D/DED64EBB2BA87C5C 2004-12-01
> :       Key fingerprint = 5769 79E7 D0CA B38C 7AA3  DDBD DED6 4EBB 2BA8
> 7C5C
> 
> Other ways I can think of would be checking whether this is the same key
> used to sign older releases you may have downloaded some time ago or
> testing whether you get the same file from different internet
> connections and computers.
> 
> 
> felix
> 
> _______________________________________________
> OTR-users mailing list
> OTR-users@lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-users

-- 

Thanks,
Andy

Support online privacy by sending encrypted email when possible.

Attachment: 0xC40C4F93.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
OTR-users mailing list
OTR-users@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-users

Reply via email to