Verify a file signature

[DaveC]

Hello Ranga,
Thank you for your post!

Results were successful!

However…

gpg: Good signature from "Tor Browser Developers (signing key) 
<torbrowser at torproject.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the 
owner.

Is this important? I downloaded both the .dmg and .asc files from the 
Tor Project https website.

Thanks,
Dave



On 18 Apr 2023, at 18:33, Sriranga Veeraraghavan wrote:

> Hi Dave,
>
> In my experience, you shouldn't need anything more than GnuPG 2.x to 
> verify a signature stored in a .asc file.  You should be able to 
> verify the signature stored in a .asc file as follows:
>
> gpg --verify [.asc file] [.dmg file]
>
> This assumes that you have the relevant public key in your GnuPG 
> keychain.  If you do not have the relevant key in your keychain, you 
> will need to download it and import it:
>
> gpg --import [key file]
>
> Best,
>
> -ranga
>
>> On Apr 18, 2023, at 17:08, dave c via macports-users 
>> <macports-users at lists.macports.org> wrote:
>>
>> I want to verify an installer .dmg file’s signature. I downloaded 
>> both files (installer and signature) from the developer’s site.
>>
>> I installed gpg tools and discovered that gpg is looking for a .sig 
>> file, but the signature file available from the developer is an .asc 
>> file.
>>
>> I won’t describe the rabbit hole I went down of installing other 
>> packages so to install apt-get which requires other packages be 
>> installed first…
>>
>> I’m not ignorant nor inexperienced using terminal but this time it 
>> was just too far.
>>
>> Looking for help to the shortest distance to my goal of verifying a 
>> signature.
>>
>> Thanks,
>> Dave
>> macOS 10.12.6 Sierra