purpose
Notes on how to check a PGP signature.
Platform
Ubuntu 8.x
note: gpg is the open version of pgp.. once you install pgp or gpg the commands will be the same.. use pgp and gpg interchangeably
install pgp
command: sudo apt-get install pgpdownload your software and key
command: wget www.somehost.com/blah.tar.gzcommand: wget www.somehost.com/blah.tar.gz.asc
first pass at verifying
will probably fail because you don't have the signer's public key yet
command: pgp blah.tar.gz.ascthis will print out a message that you dont have the public key for some key id like
No signature found for AC487ADC
get the signers key from a store
gpg --keyserver pgpkeys.mit.edu --recv-key AC487ADC
second pass at verifying
command: pgp blah.tar.gz.asc
it might print some messages that nobody else trusts this signature because the author has not built a web of trust
No comments:
Post a Comment