This is the first time I figured I had better check the keys of the bind software I want to install. So I downloaded what I think is a OpenPGP key ...
$ wget ftp://ftp.isc.org/isc/bind9/9.9.4/bind-9.9.4.tar.gz.sha1.asc
... then I tried to "import" this key like this ...
$ gpg --import bind-9.9.4.tar.gz.sha1.asc
... but I get this error message:
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
What am I doing wrong?
Thanks!
--import is used to import keys, not to check a signature.
The .asc file is usually a detached GPG signature. If you have files foo.tar.gz and foo.tar.gz.asc (or foo.tar.gz.sig), then you can verify the file foo.tar.gz with:
gpg foo.tar.gz.asc
In your case however, the filename does not match that pattern so you should specify the --verify option explicitly. According to the manual page of gpg(1):
--verify
Assume that the first argument is a signed file or a detached signature and verify it without generating any output. With no arguments, the signature packet is read from STDIN. If only a sigfile is given, it may be a complete signature or a detached signature, in which case the signed stuff is expected in a file without the ".sig" or ".asc" extension. With more than 1 argument, the first should be a detached signature and the remaining files are the signed stuff. To read the signed stuff from STDIN, use '-' as the second filename. For security reasons a detached signature cannot read the signed material from STDIN without denoting it in the above way.
Thus:
$ gpg --verify bind-9.9.4.tar.gz.sha1.asc bind-9.9.4.tar.gz
gpg: Signature made Wed 18 Sep 2013 09:25:43 PM CEST using RSA key ID 189CDBC5
gpg: Can't check signature: No public key
Now, this key can be imported using:
gpg --recv-keys 189CDBC5
Be sure to verify this key. Ideally you would meet the person, but failing to do that, look at the trust others have in this key (Linux distributions, friends, etc). Remember that GPG is about a web of trust.
See also:
