Flunks Sig Check

Help
Quantum
2014-05-21
2014-05-24
  • Quantum
    Quantum
    2014-05-21

    I am trying to verify the signature of the passwordsafe Debian package from here:
    https://sourceforge.net/projects/passwordsafe/files/Linux-BETA/0.93/

    It's the amd64 one. Judging from 19 downloads of the package, and 2 downloads of the .asc file, no one is checking this. I'm not about to install without checking.

    gpg --verify passwordsafe-debian-0.93BETA.amd64.deb.sig passwordsafe-debian-0.93BETA.amd64.deb

    gpg: Signature made Fri 07 Feb 2014 12:51:42 AM PST using RSA key ID 5CCF8BB3
    gpg: Can't check signature: No public key

    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0x919464515CCF8BB3

    gpg: Total number processed: 1
    gpg: unchanged: 1

    gpg --verify passwordsafe-debian-0.93BETA.amd64.deb.sig passwordsafe-debian-0.93BETA.amd64.deb

    gpg: Signature made Fri 07 Feb 2014 12:51:42 AM PST using RSA key ID 5CCF8BB3
    gpg: Can't check signature: No public key

    {der} When I click on the .asc file at SF it drops down with MD5 and SHA1. Testing the package against these it flunks. I download the package again, and it flunks with exactly the same numbers.

    What is wrong with this?

     
  • fernando
    fernando
    2014-05-22

    $ gpg -v passwordsafe-debian-0.93BETA.amd64.deb.sig
    gpg: assuming signed data in `passwordsafe-debian-0.93BETA.amd64.deb'
    gpg: Signature made 02/07/14 02:51:42
    gpg:                using RSA key 0x919464515CCF8BB3
    gpg: using PGP trust model
    gpg: Good signature from "Rony Shapiro (PasswordSafe Signing Key) <ronys@users.sourceforge.net>" [full]
    Primary key fingerprint: A703 C132 8EAB C7B2 0175  3BA3 9194 6451 5CCF 8BB3
    gpg: binary signature, digest algorithm SHA1
    
    $ for %i in (md5, sha1) do @openssl %i *.deb*
    MD5(passwordsafe-debian-0.93BETA.amd64.deb)= 4bef42d2e3cccb5ddd6f8fae4eef5cf8
    MD5(passwordsafe-debian-0.93BETA.amd64.deb.sig)= f2ef1231de7b9a7f0c29e335d2bdecf9
    SHA1(passwordsafe-debian-0.93BETA.amd64.deb)= 716f43211fb0ae95ab04000cd283b32006220bab
    SHA1(passwordsafe-debian-0.93BETA.amd64.deb.sig)= 279a9e7c1c8bc0b282a8dde43a20b53063276034
    
    $
    
     
  • Quantum
    Quantum
    2014-05-23

    Well it works when testing as my user, but fails as root. This doesn't make sense as apt-key was done as root.

     
  • fernando
    fernando
    2014-05-24

    APT key management, GPG (as root), and GPG (as user) use different keyrings.

    If done this way, some GPG pubring.gpg and APT trusted.gpg are both updated.

    gpg --keyserver keyserver.ubuntu.com --recv-keys 0x919464515CCF8BB3
    gpg --export --armor 0x919464515CCF8BB3 | sudo apt-key add -