[tor-talk] Problems? Verifying signatures in Tor 4.0.4

andre76 at fastmail.fm andre76 at fastmail.fm
Fri Feb 27 12:44:04 UTC 2015



On Thu, Feb 26, 2015, at 05:55 PM, Simon Nicolussi wrote:
> andre76 at fastmail.fm wrote:
> > $ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc                
> 
> Note that calling gpg --verify with a detached signature as its only
> argument is insecure (later versions of GnuPG should emit a warning).
> See my message to Gnupg-users and subsequent responses for details:
> http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051333.html
> 

I could read those responses until the end of time and wouldn't
understand anything.

Could you tell me what I'm supposed to enter in Terminal to get a
response that indicates a good file or a bad file?

Here's what I entered (2 separate ways);

$ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc 
tor-browser-linux32-4.0.4_en-US.tar.xz.asc

gpg: Signature made Wed 25 Feb 2015 02:54:55 AM EST using RSA key ID
F65C2036
gpg: BAD signature from "Tor Browser Developers (signing key)
<torbrowser at torproject.org>"


$ gpg --verify tor-browser-linux32-4.0.4_en-US.tar.xz.asc 
tor-browser-linux32-4.0.4_en-US.tar.xz

gpg: Signature made Wed 25 Feb 2015 02:54:55 AM EST using RSA key ID
F65C2036
gpg: Good signature from "Tor Browser Developers (signing key)
<torbrowser at torproject.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329
8290
     Subkey fingerprint: 5242 013F 02AF C851 B1C7  36B8 7017 ADCE F65C
     2036













> -- 
> Simon Nicolussi <sinic at sinic.name>
> http{s,}://{www.,}sinic.name/
> Email had 1 attachment:
> + Attachment2
>   1k (application/pgp-signature)

-- 
http://www.fastmail.com - A no graphics, no pop-ups email service



More information about the tor-talk mailing list