verify gcc download
John at Mozilla-Enigmail.org
Tue Dec 29 21:09:24 CET 2009
David Durham wrote:
> I am trying to verify the download of a gcc-4.1.0.tar.bz2 file. I also
> downloaded the corresponding gcc-4.1.0.tar.bz2.sig file. I have tried
> gpg --verify gcc-4.1.0.tar.bz2.sig gcc-4.1.0.tar.bz2, but it says "can't
> check signature, public key not found." Does this mean the file has been
> verified, but just not the signature? The file at
> ftp.gnu.org/MISSING-FILES.README says that all releases after 8-1-2003
> will be signed by the gpg maintainer who prepared the release. Does this
> mean I need to get the public keys of each maintainer for each software
> release I download? If so, could you please tell me how and where to get
> the appropriate public keys?
Yep, you need the public key(s). From looking at the sig file it was signed by
Mark Mitchell <mark at codesourcery.com> 0xB75C61B8
You may fetch the key beforehand (if you know the ID):
$ gpg --keyserver yogi --recv-key 0xB75C61B8
or add the appropriate options to the gpg command line:
$ gpg --keyserver yogi --keyserver-options auto-key-retrieve \
--verify gcc-4.1.0.tar.bz2.sig gcc-4.1.0.tar.bz2
gpg: Signature made 02/28/06 12:57:12 using DSA key ID B75C61B8
gpg: requesting key B75C61B8 from hkp server yogi
gpg: key B75C61B8: public key "Mark Mitchell <mark at codesourcery.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: please do a --check-trustdb
gpg: Good signature from "Mark Mitchell <mark at codesourcery.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B3C4 2148 A44E 6983 B3E4 CC07 93FA 9B1A B75C 61B8
You'd need to change the keyserver to something publicly accessible such as
I would have thought there'd be an easily found keyring for gcc distros.
John P. Clizbe Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or
mailto:pgp-public-keys at gingerbear.net?subject=HELP
Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 679 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users