Signed Software

Non release banter
Bogomips
Full of knowledge
Full of knowledge
Posts: 2564
Joined: 25 Jun 2014, 15:21
Distribution: 3.2.2 Cinnamon & KDE5
Location: London

Signed Software

Post#1 by Bogomips » 15 Mar 2017, 22:31

Progressing the learning experience of how to get the Public Key of a Signer as in the case of AppImage http://forum.porteus.org/viewtopic.php? ... 32d#p53288
  1. Public Key not on Key Server

    Code: Select all

    guest@porteus:~$ gpg palemoon-27.1.2.en-US.linux-x86_64.tar.bz2.sig 
    gpg: assuming signed data in `palemoon-27.1.2.en-US.linux-x86_64.tar.bz2'
    gpg: Signature made Fri 03 Mar 2017 02:47:51 PM GMT using RSA key ID C65285EC
    gpg: Can't check signature: public key not found
    
    guest@porteus:~$ gpg --keyserver hkp://keys.gnupg.net --search-keys C65285EC
    gpg: searching for "C65285EC" from hkp server keys.gnupg.net
    gpg: keyserver timed out
    gpg: keyserver search failed: keyserver error
    
  2. Search in more Key Servers

    Code: Select all

    guest@porteus:~$ gpg --keyserver x-hkp://pool.sks-keyservers.net --search-keys C65285EC 
    gpg: searching for "C65285EC" from hkp server pool.sks-keyservers.net
    gpg: keyserver timed out
    gpg: keyserver search failed: keyserver error
    
    guest@porteus:~$ gpg --keyserver hkp://pgp.mit.edu --recv-keys C65285EC 
    gpg: requesting key C65285EC from hkp server pgp.mit.edu
    gpg: keyserver timed out
    gpg: keyserver receive failed: keyserver error
    
    guest@porteus:~$ gpg --keyserver hkp://pgp.mit.edu --search-keys C65285EC
    gpg: searching for "C65285EC" from hkp server pgp.mit.edu
    gpg: keyserver timed out
    gpg: keyserver search failed: keyserver error
    
  3. Search in Internet :Search:
    • Success?
      Mailing List Archive: Failure of comparison of valid pub key ...
      Can I have a pub key with a unique id C65285EC and a fingerprint, but two different associated ... (RSA signing key) > > <moonchild <at> palemoon.org> >
      lists.gt.net/gnupg/users/74927
    • Relevant Key? :unknown:
      Failure of comparison of valid pub key's .asc files
      jb.1234abcd at gmail
      Feb 21, 2016, 1:24 PM
      Post #1 of 6 (476 views)
      Permalink
      Hi,

      My system is Arch linux.
      Linux myhost 4.4.1-2-ARCH #1 SMP PREEMPT Wed Feb 3 13:12:33 UTC 2016 x86_64
      GNU/Linux
      gnupg 2.1.11-1
      gpgme 1.6.0-2
      libgpg-error 1.21-1

      I have a problem with comparing contents of publick key ascii files from two
      sources:

      1. downloaded from web page .asc file
      $ cat 0xC65285EC.asc
      -----BEGIN PGP PUBLIC KEY BLOCK-----
    • Code: Select all

      guest@porteus:~$ cat > 0xC65285EC.asc
      -----BEGIN PGP PUBLIC KEY BLOCK-----
      Version: GnuPG v2
      
      mQENBFUGFsQBCACV0oz1c96lPXq//jqEZLf3cWcv6bS5YSTbi9h1SH+O846Xl/DG
      iVNx+FQyt7oiyCnkd0sL2HLHut6GUSvBvpdFO32DTHxcV6ibE+vQ0SeXzLOLRVBT
      jrFORwSVZ5IcW6y9Hs/PusUOzT4MA6JOvuRFD8UVYETZCU3z3GPXYBztiqcsqo2p
      2srJmxlRUNKHI5XM0h4Q03LqBqi23g+5cijyj5TX6X5ubIHNUc2KQcGtA5JYbvyc
      HvGsQK6umWQPgK7rO4L8doAD1kxpEhm+ckLXUfxSoKEUDOExSN0A7+bozDsV5a6j
      CfQvOtVe4KLN1IayFEmRWdl9AEKL/w6f2oBfABEBAAG0InRyYXZhOTAgPHRyYXZh
      d2luZUBwcm90b25tYWlsLmNvbT6JATcEEwEIACEFAlUGFsQCGwMFCwkIBwIGFQgJ
      CgsCBBYCAwECHgECF4AACgkQhl5sh8ZShey4mgf9EaBrcFOBxFACCJdWH5zXl+Qt
      +web3WZ9ELebpu9nTV7gta40Zy1Zc5FUGSxI9sxfbbSkc0Ob6eSx7qisZhOtaekz
      g7t1DU4xPDNkzAUhj7P+soQeFNGwU0h7V58lMbjVVSXbGTgVm0FHndC5QbwK5Qzn
      lGzA6nmzXDiFqd/asHa/1KMk4d8JDgotcsHcqYhkW4bv1tj4jSDquG2iyEj1eE3u
      7nIrfDGMlCweeBclLWVGG4RVfFXrBMr21NE0bRsiJF5c1PNsC8tmzTPfCVWvZauv
      heFptUzs2d+YjxSjkDAEUYV3EVGvzD1rhH630u/lLA/CSOHqQnTT5jbQkRzTxokC
      HAQTAQIABgUCVVdfxgAKCRBASB57j8+c7IgbEACwOsKosf0ZaPon9jkih8oGgdaK
      rxNQuQZK13hICBMaol7ufjwcmf0Im5sGfdB1McpOL+bd5kDRicBtSZtORrV76H4A
      y5DhevbIgrClC3XGwpdl4vRSmzybekyYUaunY6dAVKDDMUxDJTo4S1+MBC93wYTx
      llunL4voBAyqmWxD2wUXLripbwE70jHk3HGZRwPWZ0JZ4VJUFduEL/UdL6gKbu0B
      jUQAOq9alQsnKUkZwBatcrYqRTrdQQZ1NNmYr3NZwtc/87y/EDLaEG7nQrR6Pm8t
      ImiFRVhd12Qw27KmUyyQeijuW9XqXUDA1yF+IqR0ZBaesGes/hAsFdZDdWk27x/1
      Pe+UNONgsy1rsy9GiTeyd+GcDBH3A1TVoXjJB1A06S7KUQsUDWBOlH5iW5LzEk2w
      eQt1dB9O35gIiZ2tdkxRO0bHecx6+O2WlkOcYlOhTqy37PeRL3q2s5ItxNuxeEsX
      WRu9GgGbMEFgkB3T9pCu2RG+bD+XFSVpRYZ4X+hiT9KEuczuB4gXDMqAA5BL20K2
      QH31PrlL6vRP7bkvrcUr/Ovoy1AqRJY66ivVuyviDGuJd5iGsYvt+OOPN4J/xRl8
      NVHw6Fz9cND/4PVZLrgJdirQ85y/3poaOjhB3iaYau1iw2D0zPX6Aob4x/VJEUhD
      K0gG9M2NzyGnYJJrk7kBDQRVBhbEAQgA4WajOd4mWXhz4jTfnR4gFdwCKUtE0DjI
      NTOHetEpgPDSwJ51NQgTEcOz1ieUHML6jt/BNZMbdoVKyBcrnagnjHXvCOdQD0I4
      TlreixIQ05hi7yf83Jez7EcNNodOXjWtO/iSnY2ULkaxiZbLfwnruWADM4gVvnUC
      D2deZfRK8GVs+02YR3jkoGkLoR8wa0/YIFoSJIPa9RS+WwYuOkUyEBJNQGmrP2FB
      MLsQgHNF0APQqldple7xNgY30DZTV7fRGnKoRGtsN1jlO2Gvcv8DCKRa38RFnm/5
      1CBMaMjkyVdN0mnCtTgFYA071m3rUzpK/LkaIBS0Tr6DnlvRf5mmhwARAQABiQEf
      BBgBCAAJBQJVBhbEAhsMAAoJEIZebIfGUoXsHecH/iIMPFpdtjXDN97ZCyTEIB/w
      HaJIfUVxkH4oH8HKYVQQjJKkqdbJGK8j5oXDptY6YAPMryDfluOSlrvfGXWo4/dv
      uB2XcfBfkKok59AaCQIxvpn4DVvC+di7dHbXSc/zymzQ13E6Dc6Y92BN6PVv4ezH
      m3lMVSys5zP0XzVWH5nJ1y6ZzMyAw3LeCRPp0VPbjbOf6DoSII9xQhTKLryVuuNh
      ZDh79gAfIBLHBGusmqGgG2t6Raknbl7J3nSR6zS+YzNVNhe7431Xu5tS1JdXlpAj
      rGewMlLZNK6Nm1ea5kiHFX88Ue65Kql7Ek/08TC+RSh4SO4aCSYgq9YuNStVrco=
      =EkJT
      -----END PGP PUBLIC KEY BLOCK----- 
      
    • Checks Good?

      Code: Select all

      guest@porteus:~$ gpg --import 0xC65285EC.asc
      gpg: key C65285EC: public key "trava90 <travawine@protonmail.com>" imported
      gpg: Total number processed: 1
      gpg:               imported: 1  (RSA: 1)
      gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
      gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
      
      guest@porteus:~$ gpg --check-sigs 0xC65285EC
      pub   2048R/C65285EC 2015-03-15
      uid                  trava90 <travawine@protonmail.com>
      sig!3        C65285EC 2015-03-15  trava90 <travawine@protonmail.com>
      sub   2048R/25192F9F 2015-03-15
      sig!         C65285EC 2015-03-15  trava90 <travawine@protonmail.com>
      
      1 signature not checked due to a missing key
      
      guest@porteus:~$ gpg --fingerprint travawine@protonmail.com
      pub   2048R/C65285EC 2015-03-15
            Key fingerprint = 439F 46F4 2C6A E3D2 3CF5  2E70 865E 6C87 C652 85EC
      uid                  trava90 <travawine@protonmail.com>
      sub   2048R/25192F9F 2015-03-15
      
    • Acid Test

      Code: Select all

      guest@porteus:~$ gpg --verify palemoon-27.1.2.en-US.linux-x86_64.tar.bz2.sig 
      gpg: assuming signed data in `palemoon-27.1.2.en-US.linux-x86_64.tar.bz2'
      gpg: Signature made Fri 03 Mar 2017 02:47:51 PM GMT using RSA key ID C65285EC
      gpg: Good signature from "trava90 <travawine@protonmail.com>"
      gpg: WARNING: This key is not certified with a trusted signature!
      gpg:          There is no indication that the signature belongs to the owner.
      Primary key fingerprint: 439F 46F4 2C6A E3D2 3CF5  2E70 865E 6C87 C652 85EC
      
      guest@porteus:~$ gpg --verify palemoon-27.1.2.en-US.linux-i686.tar.bz2.sig 
      gpg: assuming signed data in `palemoon-27.1.2.en-US.linux-i686.tar.bz2'
      gpg: Signature made Fri 03 Mar 2017 02:48:06 PM GMT using RSA key ID C65285EC
      gpg: Good signature from "trava90 <travawine@protonmail.com>"
      gpg: WARNING: This key is not certified with a trusted signature!
      gpg:          There is no indication that the signature belongs to the owner.
      Primary key fingerprint: 439F 46F4 2C6A E3D2 3CF5  2E70 865E 6C87 C652 85EC
      
    :Yahoo!:
Linux porteus 4.4.0-porteus #3 SMP PREEMPT Sat Jan 23 07:01:55 UTC 2016 i686 AMD Sempron(tm) 140 Processor AuthenticAMD GNU/Linux
NVIDIA Corporation C61 [GeForce 6150SE nForce 430] (rev a2) MemTotal: 901760 kB MemFree: 66752 kB