From fpesposito at gmail.com Tue Nov 28 17:20:20 2023 From: fpesposito at gmail.com (Frank Esposito) Date: Tue, 28 Nov 2023 11:20:20 -0500 Subject: [Gpg4win-users-en] verify Message-ID: Hello --- I am new to gpg ---- I recently download software and it also had a signature file ---- I found that I can verify download with pgp --verify file.sig file I got the message(s) gpg: Signature made 11/30/2022 12:53:56 PM Eastern Standard Time gpg: using RSA key 3690C240CE51B4670D30AD1C38EE757D69184620 gpg: Can't check signature: No public key what am I missing here? Thanks -- Frank Esposito -------------- next part -------------- An HTML attachment was scrubbed... URL: From bernhard at intevation.de Tue Nov 28 17:44:58 2023 From: bernhard at intevation.de (Bernhard Reiter) Date: Tue, 28 Nov 2023 17:44:58 +0100 Subject: [Gpg4win-users-en] verify In-Reply-To: References: Message-ID: <202311281745.06450.bernhard@intevation.de> Hi Frank, Am Dienstag 28 November 2023 17:20:20 schrieb Frank Esposito: > Hello --- I am new to gpg ---- welcome to our community! :) > I recently download software and it also > had a signature file ---- > > I found that I can verify download with > > pgp --verify file.sig file > > I got the message(s) > > gpg: Signature made 11/30/2022 12:53:56 PM Eastern Standard Time > gpg: using RSA key 3690C240CE51B4670D30AD1C38EE757D69184620 > gpg: Can't check signature: No public key > > what am I missing here? ..the public key to verify the signature with. Note that it is purely optional to verify the GnuPG signature. The recommended way is to check the code signature with Windows. https://wiki.gnupg.org/Gpg4win/CheckIntegrity has the details. (One place to get the public key is https://gnupg.org/signature_key.html) Best Regards, Bernhard -- https://intevation.de/~bernhard   +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From bernhard at intevation.de Tue Nov 28 18:47:10 2023 From: bernhard at intevation.de (Bernhard Reiter) Date: Tue, 28 Nov 2023 18:47:10 +0100 Subject: [Gpg4win-users-en] verify In-Reply-To: References: <202311281745.06450.bernhard@intevation.de> Message-ID: <202311281847.22891.bernhard@intevation.de> Am Dienstag 28 November 2023 17:55:19 schrieb Frank Esposito: > thanks for the info ---- I am new to all this and it quite overwhelming > just to verify a file ---- For the Gpg4win*.exe download, you don't, just check the code signature. :) Otherwise you do it from the explorer, right click and select verify on the signature. If you want to do it on the command line as an exercise: > from the syntax of --verify how is the > public key found/referenced? The public key (short "pubkey") is imported earlier and then is found in your local key storage. So it is just gpg --verify FILENAME after you did an gpg --fetch https://gnupg.org/signature_key.asc Or you download https://gnupg.org/signature_key.asc and gpg --import signature_key.as If you want to see more about what is happening, you can add an `-v` after the 'gpg`, like gpg -v --fetch https://gnupg.org/signature_key.asc Best Regards, Bernhard -- https://intevation.de/~bernhard   +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: