我必须下载带有 PGP 签名和签名密钥(公钥)的程序
如何使用签名密钥检查程序?
如何使用签名密钥验证 PGP 签名
信息安全
pgp
2021-09-01 07:40:36
2个回答
假设您安装了 GPG:
gpg --import signing_key.pub
gpg --verify signed_file.sig
signing_key.pub公钥在哪里,并且signed_file.sig是文件的分离签名(与签名文件位于同一目录中)。
仅给出.ascPGP 签名时
第一次尝试验证.tar.xz失败,但对于获取 RSA 密钥标识符仍然有用。
$ gpg --verify tor-browser-linux64-9.0.4_en-US.tar.xz.asc
gpg: assuming signed data in 'tor-browser-linux64-9.0.4_en-US.tar.xz'
gpg: Signature made Thu 09 Jan 2020 21:09:44 CET
gpg: using RSA key EB774491D9FF06E2
gpg: Can't check signature: No public key
现在,使用提到的 RSA 密钥标识符从密钥服务器导入丢失的公钥。
$ gpg --keyserver pgpkeys.mit.edu --recv-key EB774491D9FF06E2
gpg: key 4E2C6E8793298290: 70 duplicate signatures removed
gpg: key 4E2C6E8793298290: 21229 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: 2 signatures reordered
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <torbrowser@torproject.org>" imported
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 0-, 0q, 0n, 1m, 0f, 0u
gpg: next trustdb check due at 2021-12-08
gpg: Total number processed: 1
gpg: imported: 1
第二次验证尝试现在成功了。
$ gpg --verify tor-browser-linux64-9.0.4_en-US.tar.xz.asc
gpg: assuming signed data in 'tor-browser-linux64-9.0.4_en-US.tar.xz'
gpg: Signature made Thu 09 Jan 2020 21:09:44 CET
gpg: using RSA key EB774491D9FF06E2
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2
如果这不起作用,您可以获取公钥并将其导入 gpg。
curl -s https://openpgpkey.torproject.org/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf |gpg --import -
然后验证文件。
gpg --verify tor-browser-linux64-9.0.10_en-US.tar.xz.asc