Verify a file signature

Sriranga Veeraraghavan sriranga at berkeley.edu
Wed Apr 19 19:05:59 UTC 2023 

Hi Dave,

I think this message means that although the signature appears valid, GnuPG doesn't trust the signature because you have not signed the Tor project's key with your key.  

Assuming you have your own key, you should be able to sign the Tor project's key with your key as follows:

gpg --lsign-key E53D989A9E2D47BF

The "E53D989A9E2D47BF" is the short key fingerprint that I found for the Tor project's key.  Once you've signed the key, the warning should go away.

Of course, you should only sign a key if you trust it.  And if you don't want to bother with key signing, you can do what most people probably do and ignore the warning.

Best,

-ranga

> On Apr 19, 2023, at 10:55, DaveC <davec2468 at yahoo.com> wrote:
> 
> Hello Ranga,
> Thank you for your post!
> 
> Results were successful!
> 
> However…
> 
> gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser at torproject.org>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> 
> Is this important? I downloaded both the .dmg and .asc files from the Tor Project https website.
> 
> Thanks,
> Dave
> 
> 
> 
> On 18 Apr 2023, at 18:33, Sriranga Veeraraghavan wrote:
> 
>> Hi Dave,
>> 
>> In my experience, you shouldn't need anything more than GnuPG 2.x to verify a signature stored in a .asc file.  You should be able to verify the signature stored in a .asc file as follows:
>> 
>> gpg --verify [.asc file] [.dmg file]
>> 
>> This assumes that you have the relevant public key in your GnuPG keychain.  If you do not have the relevant key in your keychain, you will need to download it and import it:
>> 
>> gpg --import [key file]
>> 
>> Best,
>> 
>> -ranga
>> 
>>> On Apr 18, 2023, at 17:08, dave c via macports-users <macports-users at lists.macports.org> wrote:
>>> 
>>> I want to verify an installer .dmg file’s signature. I downloaded both files (installer and signature) from the developer’s site.
>>> 
>>> I installed gpg tools and discovered that gpg is looking for a .sig file, but the signature file available from the developer is an .asc file.
>>> 
>>> I won’t describe the rabbit hole I went down of installing other packages so to install apt-get which requires other packages be installed first…
>>> 
>>> I’m not ignorant nor inexperienced using terminal but this time it was just too far.
>>> 
>>> Looking for help to the shortest distance to my goal of verifying a signature.
>>> 
>>> Thanks,
>>> Dave
>>> macOS 10.12.6 Sierra

More information about the macports-users mailing list