0

I've recently installed Kleopatra in order to use GPG for confirming the validity of downloads. I've downloaded the following (32-bit verison): https://www.claws-mail.org/win32/

I also downloaded the GPG signature beneath it, and tried to import it using Kleopatra. However, it fails, importing nothing.

I've tried to do some research and what I understand is that the signature is for verifying a key, however I cannot find a key from claws-mail. Have I done something wrong, or am I mistaken in thinking the signature should be able to verify a download? If I am, what is its purpose in being included with the download link?

Joe
  • 1

1 Answers1

0

The signature can be used to verify a download, only if you have the corresponding public key to verify against.

In order to verify that something was signed by who you think it was, you should import their public key into Kleopatra. Then you should be able to verify the signature from there.

Note: I took a short, cursory look over the website, and couldn't find the public key posted anywhere. You might be able to email the author and ask.

  • 2
    Using a public key obtained from a website to verify something downloaded from the same website doesn't really accomplish much. An attacker that can modify one can probably modify the other. – AndrolGenhald Nov 29 '18 at 02:33
  • @AndrolGenhald I agree. I figured that the question "How do I know that the public key I received is from who I think it is" had been asked/answered a few times already, so I didn't want to include that here as well. –  Nov 29 '18 at 17:35