verify gcc download

John Clizbe John at
Tue Dec 29 21:09:24 CET 2009

David Durham wrote:
>  Hello,
> I am trying to verify the download of a gcc-4.1.0.tar.bz2 file. I also
> downloaded the corresponding gcc-4.1.0.tar.bz2.sig file. I have tried
> gpg --verify gcc-4.1.0.tar.bz2.sig gcc-4.1.0.tar.bz2, but it says "can't
> check signature, public key not found." Does this mean the file has been
> verified, but just not the signature? The file at
> says that all releases after 8-1-2003
> will be signed by the gpg maintainer who prepared the release. Does this
> mean I need to get the public keys of each maintainer for each software
> release I download? If so, could you please tell me how and where to get
> the appropriate public keys?

Yep, you need the public key(s). From looking at the sig file it was signed by
Mark Mitchell <mark at> 0xB75C61B8

You may fetch the key beforehand (if you know the ID):

$ gpg --keyserver yogi --recv-key 0xB75C61B8

or add the appropriate options to the gpg command line:

$ gpg --keyserver yogi --keyserver-options auto-key-retrieve \
    --verify gcc-4.1.0.tar.bz2.sig gcc-4.1.0.tar.bz2
gpg: Signature made 02/28/06 12:57:12 using DSA key ID B75C61B8
gpg: requesting key B75C61B8 from hkp server yogi
gpg: key B75C61B8: public key "Mark Mitchell <mark at>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: please do a --check-trustdb
gpg: Good signature from "Mark Mitchell <mark at>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B3C4 2148 A44E 6983 B3E4  CC07 93FA 9B1A B75C 61B8

You'd need to change the keyserver to something publicly accessible such as

I would have thought there'd be an easily found keyring for gcc distros.

John P. Clizbe                      Inet:John (a)
You can't spell fiasco without SCO. hkp://  or
     mailto:pgp-public-keys at

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 679 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20091229/eb87de94/attachment.pgp>

More information about the Gnupg-users mailing list