verify TrueCrypt

[Hauke Laging]

Am Mittwoch, 22. Februar 2012, 10:15:50 schrieb Marco Dorigo:

> I followed the howto on truecrypt
> (http://www.truecrypt.org/docs/?s=digital-signatures)

That description contains an "error". And you misunderstood something:

"Sign the imported key with your private key to mark it as trusted". "To" mark 
ist trusted, not "and" mark it trusted. The trust you have set is something 
completely different (regarding the web of trust).

The "error" is: "If you skip this step and attempt to verify any of our PGP 
signatures, you will receive an error message stating that the signing key is 
invalid."

The error message just tells you that this key is not considered valid yet. It 
does tell you that the signature has been made by that key. And that's all you 
need. It usually does not make much sense to sign a key which you have not 
checked. My advice: Either delete the signature or use the signing key for 
"worthless" signatures only (and in a way that makes sure you are not 
confused).


> Because when I'm trying to verify it
> gpg --verify truecrypt-7.1a-linux-x64.tar.gz.sig
> truecrypt-7.1a-linux-x64.tar.gz it just says:
> gpg: verify signatures failed: eof

I guess that the signature file is broken. Download it again. If the signed 
file were broken then the error message should say that the signature is 
wrong.

What is the size of the signature file and what is the type of the signing 
key? I assume that if the signature file is incomplete then somebody here can 
tell already by the length.

We need the output of
gpg --list-keys
(for the TrueCrypt key only)


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20120222/6ad8752c/attachment-0001.pgp>