1

I'm trying to verify the new GnuPG download (for OS X) using GnuPG. (First of all I'm not sure if you should verify a file with the old version of it, which I probably didn't verify back then to be honest.)

Guess what - the verification doesn't work:

gpg --verify GnuPG-2.1.2.dmg.sig GnuPG-2.1.2.dmg
gpg: Signature made Thu Feb 12 18:13:44 2015 CET using RSA key ID DD5F693B
gpg: Can't check signature: public key not found

How can I get this working on my Mac?

SPRBRN
  • 7,379
  • 6
  • 33
  • 37

1 Answers1

1

OpenPGP Signatures vs. Checksums

Verifying an OpenPGP signature not only checks whether a file was not corrupted (for example during transmission) like a "normal" SHA or MD5 checksum would do, but also checks whether the signature was issued by whom it pretends to be from (in other words, if the signature on the file was issued by a specific key, which is also referenced in the signature).

Fetching the Right Key

You need to fetch this (public) key before being able to verify the signature. This can easily be achieved by running gpg --recv-keys DD5F693B (but be aware of OpenPGP key ID collisions and better configure using long key IDs instead).

Trust

Having fetched the key, you will get an output similar to this one:

gpg: assuming signed data in `enigmail-1.8-tb+sm.xpi'
gpg: Signature made Tue Mar 17 13:31:23 2015 CET
gpg:                using RSA key 0xDB1187B9DD5F693B
gpg: Good signature from "Patrick Brunschwig <patrick@enigmail.net>"
gpg:                 aka "Patrick Brunschwig <patrick@brunschwig.net>"
gpg:                 aka "[jpeg image of size 13251]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4F9F 89F5 505A C1D1 A260  631C DB11 87B9 DD5F 693B

Now you know that the key was really used to sign the file you downloaded ("Good signature from [...]"). Still, this key could have been issued by everybody! Just because you fetched a key from the key servers, there has been no verification by anybody on its contents yet.

Having the key will not suffice to be sure who (which person) really signed the file:

WARNING: This key is not certified with a trusted signature! There is no indication that the signature belongs to the owner.

You also need to be able to verify the key to not only verify the file integrity (you already achieved that now), but also be sure whom it comes from. For example by meeting the issuer and asking him whether it's really his key, through the web of trust (or another way you consider reliable).

But this is another, long topic.

Jens Erat
  • 23,446
  • 12
  • 72
  • 96