On 07/04/2017 03:40 PM, fuflono--- via Gnupg-users wrote: > -----Original Message----- > From: fuflono <fufl...@aol.com> > To: gnupg-users <gnupg-users@gnupg.org> > Sent: Mon, Jul 3, 2017 4:01 pm > Subject: which program use: gpg or gpgv? > > Hi, > my Debian8.8 has the programs about gpg: > > -rwxr-xr-x 1 root root 1128700 Sep 3 2016 gpg > -rwxr-xr-x 1 root root 913236 Sep 3 2016 gpg2 > -rwxr-xr-x 1 root root 334260 Sep 3 2016 gpg-agent > -rwxr-xr-x 1 root root 148108 Sep 3 2016 gpgconf > -rwxr-xr-x 1 root root 165508 Sep 3 2016 gpg-connect-agent > -rwxr-xr-x 1 root root 38144 Sep 3 2016 gpgkey2ssh > -rwxr-xr-x 1 root root 25908 Sep 3 2016 gpgparsemail > -rwxr-xr-x 1 root root 59104 Sep 3 2016 gpgsplit > -rwxr-xr-x 1 root root 407820 Sep 3 2016 gpgv > -rwxr-xr-x 1 root root 3303 Sep 3 2016 gpg-zip > > Are they enough or no, for verifying integrity of packages? > > Also is ~/.gnupg > drwx------ 2 user user 4096 Aug 13 2016 private-keys-v1.d #it's empty# > -rw------- 1 user user 0 Jun 24 15:34 pubring.gpg > -rw------- 1 user user 0 Jun 28 12:45 secring.gpg > -rw------- 1 user user 40 Jun 30 07:19 trustdb.gpg > user@debian:~/.gnupg$ > > And I don;t know which program use: gpg or gpgv? > ------------------------------------------ > ~/Downloads/screen-4.5.1$ gpg -vv --verify screen-4.5.1.tar.gz.sig > screen-4.5.1.tar.gz > gpg: armor: BEGIN PGP SIGNATURE > :signature packet: algo 1, keyid 21F968DEF747ABD7 > version 4, created 1488037815, md5len 0, sigclass 0x00 > digest algo 8, begin of digest 2e ec > hashed subpkt 33 len 21 (?) > hashed subpkt 2 len 4 (sig created 2017-02-25) > subpkt 16 len 8 (issuer key ID 21F968DEF747ABD7) > data: [4095 bits] > gpg: Signature made Sat 25 Feb 2017 10:50:15 AM EST using RSA key ID > F747ABD7 > gpg: Can't check signature: public key not found > user@debian:~/Downloads/screen-4.5.1$ > ~/Downloads/screen-4.5.1$
This means you do not have the correct key in pubring.gpg where the main gpg executable is expecting it. As pubring.gpg is a zero byte file, this is entirely to be expected. To fix this, add the appropriate keys. > -------------------------------------- > :~/Downloads/screen-4.5.1$ gpgv -vv screen-4.5.1.tar.gz.sig > gpgv: keyblock resource `/home/user/.gnupg/trustedkeys.gpg': file open error > gpgv: armor: BEGIN PGP SIGNATURE > :signature packet: algo 1, keyid 21F968DEF747ABD7 > version 4, created 1488037815, md5len 0, sigclass 0x00 > digest algo 8, begin of digest 2e ec > hashed subpkt 33 len 21 (?) > hashed subpkt 2 len 4 (sig created 2017-02-25) > subpkt 16 len 8 (issuer key ID 21F968DEF747ABD7) > data: [4095 bits] > gpgv: no signed data > gpgv: can't hash datafile: file open error > user@debian:~/Downloads/screen-4.5.1$ > ----------------------------------- The first line means there is no trustedkeys.gpg keyring. This is the keyring that gpgv uses. Unlike the main gpg program, it assumes everything on that keyring is a valid and fully trustable key. Which one you decide to use to verify packages is ultimately a matter of personal choice. If you wish to keep a separate keyring for the purpose of verifying signatures on certain files such as software releases, then perhaps gpgv is the better choice. If you think that's overkill and you are content with one keyring for both correspondence and signature verification, then the main gpg program will do. Debian itself uses gpgv to verify updates but there is a specific reason for this, that being that the apt and dpkg tools used by most users never need to sign or encrypt anything, only verify signatures. -- Shawn K. Quinn <skqu...@rushpost.com> http://www.rantroulette.com http://www.skqrecordquest.com
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users