having trouble checking the signature of a downloaded file

Peter Lebbing peter at digitalbrains.com
Wed Feb 21 12:07:48 CET 2018

On 21/02/18 11:53, Peter Lebbing wrote:
> The
> author might not be available anymore or willing to expend any effort.

(Or the author might not have a more authentic copy of the file anymore
either. This is not the reason I'm self-replying though).

> This all comes with a major caveat.

Make that two. The OP writes:

On 21/02/18 10:37, Henry wrote:
> I downloaded a tarball ***6.4.tar.gz, it's signature file
> ***6.4.tar.gz.sig, and the author's public key ******.pgp from a
> well-known site.

This sounds like there is no more assurance that the downloaded key is
authentic than that the downloaded file is authentic. When to decide
that a key is authentic is one of the more difficult problems of
practical cryptography use. Some people take confidence from downloading
identical copies of the key from multiple HTTPS websites. There are
still ways for an attacker to serve you the wrong one each time, but
it's better than nothing... The best is direct personal contact with the
owner of the key, but it seems a long shot.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180221/44f20522/attachment-0001.sig>

More information about the Gnupg-users mailing list