PGP Signature verification issue
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
hi,
i was going to veryfy VeraCrypt Setup 1.26.7.exe with VeraCrypt Setup 1.26.7.exe.sig. i installed latest Gpg4win. imported veracrypt certificate
with fingerprint 5069A233D55A0EEB174A5FC3821ACD02680D16DE.
then i dragged the .sig to the kleopatra window and choose verify. resulting in "Verified ‘VeraCrypt Setup 1.26.7.exe’ with ‘VeraCrypt Setup
1.26.7.exe.sig’: The data could not be verified."
i am new to this process. am i doing something wrong or am i missing something?
greets
See section How to Verify PGP Signatures.
Also you can verify using the links below.
Certificate Verification:
https://sourceforge.net/p/veracrypt/discussion/technical/thread/5c2188b1/?limit=25#a2d4
Windows Checksum the EXE File to Compare to the veracrypt-1.26.7-sha256sum.txt file or veracrypt-1.26.7-sha512sum.txt file
https://sourceforge.net/p/veracrypt/discussion/general/thread/6ab45d49/?limit=25#054f/e192
https://sourceforge.net/projects/veracrypt/files/VeraCrypt%201.26.7/
Command Line Method
PowerShell Method
I just downloaded the mentioned Windows version of VC and verified the signature - it's valid. So either there was an error during the download or you are not using Gpg4win correctly.
On how to use all those Gpg tools out there, you should refer to their distinct manuals. Other than this, re-download the setup file.
Greets
It will only return 100% valid if you certify the Veracrypt certificate with yours prior to doing the signature check. You may have overlooked this because you said you are not familiar with gpg4win.
Highlight the imported Veracrypt certificate > choose Certify from the Toolbar/Menu or right click the imported Veracrypt key: 5069A233D55A0EEB174A5FC3821ACD02680D16DE (in the Kleopatra window) > Certify.
This should actually not be the case. You should get a message, that the signature is valid, but the key not trusted. That's not an error, though.
Greets
I am getting this when trying to verify the .deb package:
gpg --verify veracrypt-1.26.14-Ubuntu-24.04-amd64.deb.sig veracrypt-1.26.14-Ubuntu-24.04-amd64.deb
gpg: Signature made Mon 26 Aug 2024 02:41:33 PM PDT
gpg: using RSA key 5069A233D55A0EEB174A5FC3821ACD02680D16DE
gpg: Good signature from "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) veracrypt@idrix.fr" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5069 A233 D55A 0EEB 174A 5FC3 821A CD02 680D 16DE
I followed the recommendations as indicated at https://www.veracrypt.fr/en/Digital%20Signatures.html . This does not seem right. Is the site legit? Thank you.
Last edit: Enigma2Illusion 2024-09-12
It looks like you didn't mark the VeraCrypt public key as trusted. While the signature is valid (as indicated by "Good signature"), GPG is warning you that the key is not certified with a trusted signature, meaning you haven't explicitly trusted the VeraCrypt public key yet.
The VeraCrypt documentation mentions this step here but it doesn't provide detailed commands for doing so. On Ubuntu, you can trust the key by following these steps:
gpg --sign-key 0x680D16DEThis will sign the VeraCrypt public key using your private key.
After signing the key, you need to mark it as trusted:
gpg --edit-key 0x680D16DEThis opens an interactive prompt. Once inside, type:
trustYou will be prompted to choose a trust level. Select 5 for "ultimate trust."
After that, type:
quitto exit the interactive session.
Now, GPG will recognize the VeraCrypt key as trusted, and you should no longer see the warning about the signature not being certified.
That being said, the output you shared shows that the signature is indeed valid:
- "Good signature from 'VeraCrypt Team'" confirms that the file was signed by the correct VeraCrypt public key.
- The fingerprint 5069 A233 D55A 0EEB 174A 5FC3 821A CD02 680D 16DE matches the official VeraCrypt key, confirming that this is a legitimate signature.
So, despite the trust warning, the file is genuine, and you can proceed safely.
Thank you very much.