How to verify X.509 signatures?

adrelanos adrelanos at
Sun Mar 24 13:10:38 CET 2013

Markus Reichelt:
> * adrelanos <adrelanos at> wrote:
>> says [1] they are signing "TrueCrypt Setup 7.1a.exe"
>> [2] with a X.509 signature.  How can I verify such a signature?
> For Windows, they explicitly state how to do that.

Yes, that's easily working.

>> (On Debian Wheezy.) I tried:
>> gpg2 --verify "TrueCrypt Setup 7.1a.exe"
>> gpg: no valid OpenPGP data found.
>> gpg: the signature could not be verified.
>> Please remember that the signature file (.sig or .asc)
>> should be the first file given on the command line.
>> gpgsm --verify "TrueCrypt Setup 7.1a.exe"
>> gpgsm: ksba_cms_parse failed: End of file
> I'd consult the OpenSSL manual.


> If I parse your quest correctly, you are trying to check the sig of a
> Windows binary on some debian system.


> Why not ask the TrueCrypt head
> honchos about putting up that info as well?

They are not communicative.

I don't care so much about that truecrypt.exe, but want to know how it
works in general for any file on Linux. This is because I consider dual
signing the files I distribute.

More information about the Gnupg-users mailing list