having trouble checking the signature of a downloaded file

Peter Lebbing peter at digitalbrains.com
Wed Feb 21 11:53:56 CET 2018


On 21/02/18 10:48, Kristian Fiskerstrand wrote:
>>    gpg: Signature made Tue May  4 23:03:11 2004 JST
> [...]
> 
> The author should sign the package using a more modern and secure keyblock.

Note that not the key, but the /signature/ is made 14 years ago. So
we're talking about verifying the integrity of a really old file. The
author might not be available anymore or willing to expend any effort.

GnuPG 1.4 is kept around to verify such old files. So perhaps the OP
could use GnuPG 1.4 to verify the file; without further information
about the system he is using it is hard to explain how exactly to do
this. However, I get the feeling his OS is NetBSD :-). So if somebody
knows how GnuPG is installed there... (I don't)

This all comes with a major caveat. The reason you can't do it with
modern GnuPG is that the security of PGP-2 keys and signatures is no
longer at a sufficient level. So while it gives some confidence when the
signature verifies positively, a well-equipped attacker might have faked
it anyway!

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180221/f66c10a0/attachment.sig>


More information about the Gnupg-users mailing list