question regarding using gpg to verify a file from a .sign file

Semih Ozlem semihozlemlinuxuser at gmail.com
Fri Jul 24 18:30:14 CEST 2020


Hi

I am trying to follow the directions on the page
https://www.debian.org/CD/verify
for verifying authenticity of CDs (meaning the iso files downloaded from
debian's page). The page has iso files then SHAxSUM files and SHAxSUM.sign
files.

I have already run sha512sum command to verify the iso file. But I am
having difficulty in the next step... which is

" To ensure that the checksums files themselves are correct, use GnuPG to
verify them against the accompanying signature files (e.g. SHA512SUMS.sign).
The keys used for these signatures are all in the Debian GPG keyring
<https://keyring.debian.org> and the best way to check them is to use that
keyring to validate via the web of trust. To make life easier for users,
here are the fingerprints for the keys that have been used for releases in
recent years:"

quoted from the page https://www.debian.org/CD/verify

when I run the command

gpg --verify SHAxSUM.sign SHAxSUM

I get the following message

gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/home/user/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made Sun 10 May 2020 03:17:55 AM +03
gpgv:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpgv: Can't check signature: No public key

How should I proceed to check signature.

Thank you in advance for your help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200724/2dcaa06a/attachment-0001.html>


More information about the Gnupg-users mailing list