How to verify X.509 signatures?
adrelanos
adrelanos at riseup.net
Sun Mar 24 13:37:51 CET 2013
Peter Lebbing:
> On 23/03/13 21:06, adrelanos wrote:
>> TrueCrypt.org says [1] they are signing "TrueCrypt Setup
>> 7.1a.exe" [2] with a X.509 signature. How can I verify such a
>> signature?
>
> This is probably a "Microsoft Authenticode" signature on a
> Microsoft PE executable. It's very specifically a Microsoft thing,
> and you'll need a program with specific support for this format.
> It's X.509 wrapped inside an executable.
Ah. Ok. Will google that up.
> If you Google for it, you'll probably find a lot of references to a
> heated discussion between Matthew Garret and Linus Torvalds about
> including a parser in the Linux kernel :).
Ok.
> The best I could come up with through Googling was [1]. You might
> be able to write something up in Python with the pefile module.
>
> Alternatively, just either - verify on Windows, by checking the
> "Properties" of the executable - verify using the OpenPGP signature
> they also provide
Ok, got that. I primarily looking for some mechanism built into
mainstream Linux distributions, making it much easier to verify a file
comes from a specific entity. This thing sounds much too complicated.
Thanks! :)
More information about the Gnupg-users
mailing list