Fwd: which program use: gpg or gpgv?
Shawn K. Quinn
skquinn at rushpost.com
Thu Jul 6 03:32:23 CEST 2017
On 07/04/2017 03:40 PM, fuflono--- via Gnupg-users wrote:
> -----Original Message-----
> From: fuflono <fuflono at aol.com>
> To: gnupg-users <gnupg-users at gnupg.org>
> Sent: Mon, Jul 3, 2017 4:01 pm
> Subject: which program use: gpg or gpgv?
>
> Hi,
> my Debian8.8 has the programs about gpg:
>
> -rwxr-xr-x 1 root root 1128700 Sep 3 2016 gpg
> -rwxr-xr-x 1 root root 913236 Sep 3 2016 gpg2
> -rwxr-xr-x 1 root root 334260 Sep 3 2016 gpg-agent
> -rwxr-xr-x 1 root root 148108 Sep 3 2016 gpgconf
> -rwxr-xr-x 1 root root 165508 Sep 3 2016 gpg-connect-agent
> -rwxr-xr-x 1 root root 38144 Sep 3 2016 gpgkey2ssh
> -rwxr-xr-x 1 root root 25908 Sep 3 2016 gpgparsemail
> -rwxr-xr-x 1 root root 59104 Sep 3 2016 gpgsplit
> -rwxr-xr-x 1 root root 407820 Sep 3 2016 gpgv
> -rwxr-xr-x 1 root root 3303 Sep 3 2016 gpg-zip
>
> Are they enough or no, for verifying integrity of packages?
>
> Also is ~/.gnupg
> drwx------ 2 user user 4096 Aug 13 2016 private-keys-v1.d #it's empty#
> -rw------- 1 user user 0 Jun 24 15:34 pubring.gpg
> -rw------- 1 user user 0 Jun 28 12:45 secring.gpg
> -rw------- 1 user user 40 Jun 30 07:19 trustdb.gpg
> user at debian:~/.gnupg$
>
> And I don;t know which program use: gpg or gpgv?
> ------------------------------------------
> ~/Downloads/screen-4.5.1$ gpg -vv --verify screen-4.5.1.tar.gz.sig
> screen-4.5.1.tar.gz
> gpg: armor: BEGIN PGP SIGNATURE
> :signature packet: algo 1, keyid 21F968DEF747ABD7
> version 4, created 1488037815, md5len 0, sigclass 0x00
> digest algo 8, begin of digest 2e ec
> hashed subpkt 33 len 21 (?)
> hashed subpkt 2 len 4 (sig created 2017-02-25)
> subpkt 16 len 8 (issuer key ID 21F968DEF747ABD7)
> data: [4095 bits]
> gpg: Signature made Sat 25 Feb 2017 10:50:15 AM EST using RSA key ID
> F747ABD7
> gpg: Can't check signature: public key not found
> user at debian:~/Downloads/screen-4.5.1$
> ~/Downloads/screen-4.5.1$
This means you do not have the correct key in pubring.gpg where the main
gpg executable is expecting it. As pubring.gpg is a zero byte file, this
is entirely to be expected. To fix this, add the appropriate keys.
> --------------------------------------
> :~/Downloads/screen-4.5.1$ gpgv -vv screen-4.5.1.tar.gz.sig
> gpgv: keyblock resource `/home/user/.gnupg/trustedkeys.gpg': file open error
> gpgv: armor: BEGIN PGP SIGNATURE
> :signature packet: algo 1, keyid 21F968DEF747ABD7
> version 4, created 1488037815, md5len 0, sigclass 0x00
> digest algo 8, begin of digest 2e ec
> hashed subpkt 33 len 21 (?)
> hashed subpkt 2 len 4 (sig created 2017-02-25)
> subpkt 16 len 8 (issuer key ID 21F968DEF747ABD7)
> data: [4095 bits]
> gpgv: no signed data
> gpgv: can't hash datafile: file open error
> user at debian:~/Downloads/screen-4.5.1$
> -----------------------------------
The first line means there is no trustedkeys.gpg keyring. This is the
keyring that gpgv uses. Unlike the main gpg program, it assumes
everything on that keyring is a valid and fully trustable key.
Which one you decide to use to verify packages is ultimately a matter of
personal choice. If you wish to keep a separate keyring for the purpose
of verifying signatures on certain files such as software releases, then
perhaps gpgv is the better choice. If you think that's overkill and you
are content with one keyring for both correspondence and signature
verification, then the main gpg program will do. Debian itself uses gpgv
to verify updates but there is a specific reason for this, that being
that the apt and dpkg tools used by most users never need to sign or
encrypt anything, only verify signatures.
--
Shawn K. Quinn <skquinn at rushpost.com>
http://www.rantroulette.com
http://www.skqrecordquest.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170705/4261d9f3/attachment.sig>
More information about the Gnupg-users
mailing list