On Fri, 27 Feb 2015, [email protected] wrote: > > > On Thu, Feb 26, 2015, at 05:55 PM, Simon Nicolussi wrote: > > [email protected] wrote: > > > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc > > > > Note that calling gpg --verify with a detached signature as its only > > argument is insecure (later versions of GnuPG should emit a warning). > > See my message to Gnupg-users and subsequent responses for details: > > http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051333.html > > > > I could read those responses until the end of time and wouldn't > understand anything. > > Could you tell me what I'm supposed to enter in Terminal to get a > response that indicates a good file or a bad file? > > Here's what I entered (2 separate ways); > > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc > tor-browser-linux32-4.0.4_en-US.tar.xz.asc > > gpg: Signature made Wed 25 Feb 2015 02:54:55 AM EST using RSA key ID > F65C2036 > gpg: BAD signature from "Tor Browser Developers (signing key) > <[email protected]>" > > > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc > tor-browser-linux32-4.0.4_en-US.tar.xz
The good one is the second one: giving the signature file as first argument, and the file to be checked as second argument. The problem with giving only one argument is that if the .asc file contains some text with an in-line signature (rather than what people would expected: a detached signature for the .tar.xz file), then gpg will only verify this inline signature and ignore the .tar.xz file. And the output only tells you that there is a good signature, so you can't see that the .tar.xz file was not checked. Example: $ echo 'some text' > some_file.txt $ gpg --clearsign some_file.txt $ mv some_file.txt.asc tor-browser-linux32-4.0.4_en-US.tar.xz.asc Now the gpg command tells us the signature is good, although it has nothing to do with tor-browser-linux32-4.0.4_en-US.tar.xz: $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc gpg: Signature made Fri 27 Feb 2015 02:09:25 PM CET gpg: using RSA key 2067001B1B678A63 gpg: Good signature from "Nicolas Vigier (boklm) <[email protected]>" gpg: aka "Nicolas Vigier (boklm) <[email protected]>" But with 2 arguments it tells us something is wrong: $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc tor-browser-linux32-4.0.4_en-US.tar.xz gpg: not a detached signature
pgpY3lF91GlBa.pgp
Description: PGP signature
-- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
