I'm trying to follow the instructions to verify a downloaded file here:
http://www.pps.univ-paris-diderot.fr/~jch/software/pgp-validating.html
Get a local copy of the signing key
You will need to know the key id of the key you want to confirm. If you are using ASDF-Install, ASDF-Install will complain about an unknown key, and tell you the ID. Otherwise, download both the tarball and the signature file, and pass the signature file to GnuPG:
gpg cl-yacc-0.2.tar.gz.asc GnuPG will complain about an unknown key, and tell you the ID. At that point, do gpg --recv id to download a local copy of the key.
I am trying to verify the downloaded file:
libevent-2.0.22-stable.tar.gz
And I have this signature file:
libevent-2.0.22-stable.tar.gz.asc
Following the steps above, this is what I got:
~/Downloads$ gpg libevent-2.0.22-stable.tar.gz.asc
gpg: assuming signed data in 'libevent-2.0.22-stable.tar.gz'
gpg: Signature made Mon Jan 5 08:16:20 2015 MST using RSA key ID 8D29319A
gpg: Good signature from "Nick Mathewson <nickm@alum.mit.edu>" [unknown]
gpg: aka "Nick Mathewson <nickm@wangafu.net>" [unknown]
gpg: aka "Nick Mathewson <nickm@freehaven.net>" [unknown]
gpg: aka "[jpeg image of size 3369]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B35B F85B F194 89D0 4E28 C33C 2119 4EBB 1657 33EA
Subkey fingerprint: EF00 F369 1387 FCC5 8CD6 8E13 9103 97D8 8D29 319A
~/Downloads$ gpg --recv 8D29319A
gpg: requesting key 8D29319A from hkps server hkps.pool.sks-keyservers.net
gpg: key 165733EA: "Nick Mathewson <nickm@alum.mit.edu>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
Next, it says:
Confirm the key from an independent source
You now need to confirm the key from an independent source i.e. neither the signature file nor the keyserver.
Find out more about the key
Armed with the ID of the key you are interested in, check the key on on your favourite keyserver interface (choose “verbose index”). You will find all the uids (e-mail addresses) of the person who signed the key, as well as the people who have signed that key.
As far as I can tell, the phrase armed with the ID of the key you are interested in refers to: 8D29319A
. In any case, I tried entering every number, fingerprint, and ascii armored public key in that linked keyserver interface, and I just got exception after exception.
What am I doing wrong?
$ gpg --version
gpg (GnuPG/MacGPG2) 2.0.28
libgcrypt 1.6.3
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA, RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
$