How to verify X.509 signatures?
adrelanos at riseup.net
Sun Mar 24 13:10:38 CET 2013
> * adrelanos <adrelanos at riseup.net> wrote:
>> TrueCrypt.org says  they are signing "TrueCrypt Setup 7.1a.exe"
>>  with a X.509 signature. How can I verify such a signature?
> For Windows, they explicitly state how to do that.
Yes, that's easily working.
>> (On Debian Wheezy.) I tried:
>> gpg2 --verify "TrueCrypt Setup 7.1a.exe"
>> gpg: no valid OpenPGP data found.
>> gpg: the signature could not be verified.
>> Please remember that the signature file (.sig or .asc)
>> should be the first file given on the command line.
>> gpgsm --verify "TrueCrypt Setup 7.1a.exe"
>> gpgsm: ksba_cms_parse failed: End of file
> I'd consult the OpenSSL manual.
> If I parse your quest correctly, you are trying to check the sig of a
> Windows binary on some debian system.
> Why not ask the TrueCrypt head
> honchos about putting up that info as well?
They are not communicative.
I don't care so much about that truecrypt.exe, but want to know how it
works in general for any file on Linux. This is because I consider dual
signing the files I distribute.
More information about the Gnupg-users