Fwd: which program use: gpg or gpgv?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Fwd: which program use: gpg or gpgv?

GnuPG - User mailing list




-----Original Message-----
From: fuflono <[hidden email]>
To: gnupg-users <[hidden email]>
Sent: Mon, Jul 3, 2017 4:01 pm
Subject: which program use: gpg or gpgv?

Hi,
my Debian8.8 has the programs about gpg:

-rwxr-xr-x  1 root   root    1128700 Sep  3  2016 gpg
-rwxr-xr-x  1 root   root     913236 Sep  3  2016 gpg2
-rwxr-xr-x  1 root   root     334260 Sep  3  2016 gpg-agent
-rwxr-xr-x  1 root   root     148108 Sep  3  2016 gpgconf
-rwxr-xr-x  1 root   root     165508 Sep  3  2016 gpg-connect-agent
-rwxr-xr-x  1 root   root      38144 Sep  3  2016 gpgkey2ssh
-rwxr-xr-x  1 root   root      25908 Sep  3  2016 gpgparsemail
-rwxr-xr-x  1 root   root      59104 Sep  3  2016 gpgsplit
-rwxr-xr-x  1 root   root     407820 Sep  3  2016 gpgv
-rwxr-xr-x  1 root   root       3303 Sep  3  2016 gpg-zip

Are they enough or no, for  verifying integrity of packages?

Also  is  ~/.gnupg
drwx------  2 user user 4096 Aug 13  2016 private-keys-v1.d #it's empty#
-rw-------  1 user user    0 Jun 24 15:34 pubring.gpg
-rw-------  1 user user    0 Jun 28 12:45 secring.gpg
-rw-------  1 user user   40 Jun 30 07:19 trustdb.gpg
user@debian:~/.gnupg$

And I don;t know which program use: gpg or gpgv?
------------------------------------------
~/Downloads/screen-4.5.1$ gpg -vv --verify screen-4.5.1.tar.gz.sig screen-4.5.1.tar.gz
gpg: armor: BEGIN PGP SIGNATURE
:signature packet: algo 1, keyid 21F968DEF747ABD7
    version 4, created 1488037815, md5len 0, sigclass 0x00
    digest algo 8, begin of digest 2e ec
    hashed subpkt 33 len 21 (?)
    hashed subpkt 2 len 4 (sig created 2017-02-25)
    subpkt 16 len 8 (issuer key ID 21F968DEF747ABD7)
    data: [4095 bits]
gpg: Signature made Sat 25 Feb 2017 10:50:15 AM EST using RSA key ID F747ABD7
gpg: Can't check signature: public key not found
user@debian:~/Downloads/screen-4.5.1$
~/Downloads/screen-4.5.1$
--------------------------------------
:~/Downloads/screen-4.5.1$ gpgv -vv screen-4.5.1.tar.gz.sig
gpgv: keyblock resource `/home/user/.gnupg/trustedkeys.gpg': file open error
gpgv: armor: BEGIN PGP SIGNATURE
:signature packet: algo 1, keyid 21F968DEF747ABD7
    version 4, created 1488037815, md5len 0, sigclass 0x00
    digest algo 8, begin of digest 2e ec
    hashed subpkt 33 len 21 (?)
    hashed subpkt 2 len 4 (sig created 2017-02-25)
    subpkt 16 len 8 (issuer key ID 21F968DEF747ABD7)
    data: [4095 bits]
gpgv: no signed data
gpgv: can't hash datafile: file open error
user@debian:~/Downloads/screen-4.5.1$
-----------------------------------
I guess don't enough  public keys at me. Please prompt me what to do, and excuse my stupid questions:
While I shall attempt operate with gpg or gpgv, of course there will done some wrong things. May I remove improper files, which will appear? Need I switch on cookies when try get keys? Reminding, me need justl verify screen-4.5.1.tar.gz by  screen-4.5.1.tar.gz.sig ,  I hope learn this program after.
Thanks all.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: which program use: gpg or gpgv?

Daniel Kahn Gillmor-7
On Tue 2017-07-04 16:40:17 -0400, fuflono--- via Gnupg-users wrote:

> Hi,
> my Debian8.8 has the programs about gpg:
>
> -rwxr-xr-x  1 root   root    1128700 Sep  3  2016 gpg
> -rwxr-xr-x  1 root   root     913236 Sep  3  2016 gpg2
> -rwxr-xr-x  1 root   root     334260 Sep  3  2016 gpg-agent
> -rwxr-xr-x  1 root   root     148108 Sep  3  2016 gpgconf
> -rwxr-xr-x  1 root   root     165508 Sep  3  2016 gpg-connect-agent
> -rwxr-xr-x  1 root   root      38144 Sep  3  2016 gpgkey2ssh
> -rwxr-xr-x  1 root   root      25908 Sep  3  2016 gpgparsemail
> -rwxr-xr-x  1 root   root      59104 Sep  3  2016 gpgsplit
> -rwxr-xr-x  1 root   root     407820 Sep  3  2016 gpgv
> -rwxr-xr-x  1 root   root       3303 Sep  3  2016 gpg-zip
>
> Are they enough or no, for  verifying integrity of packages?
more recent versions of debian will use gpgv for verifying integrity of
downloaded system packages, and do not need gpg itself for this purpose.

If you want to verify packages signed by other developers, you'll need
to get their keys, though, and that requires knowing their keys.

According to the versions at https://ftp.gnu.org/gnu/screen/, it looks
screen 4.5.1 has been signed with key
0x71AA09D9E8870FDB0AA7B61E21F968DEF747ABD7, while the most recent
version of screen (4.6.0) has been signed with
0x2EE59A5D0C50167B5535BBF1B708A383C53EF3A4.

Which of these keys is a legitimate key to validate versions of screen?
I don't know!  They're both listed in
https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=screen
though, so perhaps they're both acceptable.


If you fetch the maintainers' file from savannah, and convert it into an
OpenPGP binary form, you should be able to validate the screen package
against it:

    wget -O screen-keys.asc 'https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=screen&download=1'
    gpg --dearmor < screen-keys.asc > screen-keys.gpg

    wget https://ftp.gnu.org/gnu/screen/screen-4.5.1.tar.gz https://ftp.gnu.org/gnu/screen/screen-4.5.1.tar.gz.sig
    gpgv --keyring $(pwd)/screen-keys.gpg screen-4.5.1.tar.gz.sig screen-4.5.1.tar.gz


This should show you something like:

    gpgv: Signature made Sat 25 Feb 2017 10:50:15 AM EST
    gpgv:                using RSA key 71AA09D9E8870FDB0AA7B61E21F968DEF747ABD7
    gpgv: Good signature from "Alexander Naumov <[hidden email]>"

Note, however, that you've only moved the responsibility from verifying
the package to verifying which keys actually are the legitimate keys for
the maintainers of GNU screen.  So it's a win, but it's not perfect.

hth,

        --dkg

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (847 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fwd: which program use: gpg or gpgv?

Shawn K. Quinn
In reply to this post by GnuPG - User mailing list
On 07/04/2017 03:40 PM, fuflono--- via Gnupg-users wrote:

> -----Original Message-----
> From: fuflono <[hidden email]>
> To: gnupg-users <[hidden email]>
> Sent: Mon, Jul 3, 2017 4:01 pm
> Subject: which program use: gpg or gpgv?
>
> Hi,
> my Debian8.8 has the programs about gpg:
>
> -rwxr-xr-x  1 root   root    1128700 Sep  3  2016 gpg
> -rwxr-xr-x  1 root   root     913236 Sep  3  2016 gpg2
> -rwxr-xr-x  1 root   root     334260 Sep  3  2016 gpg-agent
> -rwxr-xr-x  1 root   root     148108 Sep  3  2016 gpgconf
> -rwxr-xr-x  1 root   root     165508 Sep  3  2016 gpg-connect-agent
> -rwxr-xr-x  1 root   root      38144 Sep  3  2016 gpgkey2ssh
> -rwxr-xr-x  1 root   root      25908 Sep  3  2016 gpgparsemail
> -rwxr-xr-x  1 root   root      59104 Sep  3  2016 gpgsplit
> -rwxr-xr-x  1 root   root     407820 Sep  3  2016 gpgv
> -rwxr-xr-x  1 root   root       3303 Sep  3  2016 gpg-zip
>
> Are they enough or no, for  verifying integrity of packages?
>
> Also  is  ~/.gnupg
> drwx------  2 user user 4096 Aug 13  2016 private-keys-v1.d #it's empty#
> -rw-------  1 user user    0 Jun 24 15:34 pubring.gpg
> -rw-------  1 user user    0 Jun 28 12:45 secring.gpg
> -rw-------  1 user user   40 Jun 30 07:19 trustdb.gpg
> user@debian:~/.gnupg$
>
> And I don;t know which program use: gpg or gpgv?
> ------------------------------------------
> ~/Downloads/screen-4.5.1$ gpg -vv --verify screen-4.5.1.tar.gz.sig
> screen-4.5.1.tar.gz
> gpg: armor: BEGIN PGP SIGNATURE
> :signature packet: algo 1, keyid 21F968DEF747ABD7
>     version 4, created 1488037815, md5len 0, sigclass 0x00
>     digest algo 8, begin of digest 2e ec
>     hashed subpkt 33 len 21 (?)
>     hashed subpkt 2 len 4 (sig created 2017-02-25)
>     subpkt 16 len 8 (issuer key ID 21F968DEF747ABD7)
>     data: [4095 bits]
> gpg: Signature made Sat 25 Feb 2017 10:50:15 AM EST using RSA key ID
> F747ABD7
> gpg: Can't check signature: public key not found
> user@debian:~/Downloads/screen-4.5.1$
> ~/Downloads/screen-4.5.1$
This means you do not have the correct key in pubring.gpg where the main
gpg executable is expecting it. As pubring.gpg is a zero byte file, this
is entirely to be expected. To fix this, add the appropriate keys.

> --------------------------------------
> :~/Downloads/screen-4.5.1$ gpgv -vv screen-4.5.1.tar.gz.sig
> gpgv: keyblock resource `/home/user/.gnupg/trustedkeys.gpg': file open error
> gpgv: armor: BEGIN PGP SIGNATURE
> :signature packet: algo 1, keyid 21F968DEF747ABD7
>     version 4, created 1488037815, md5len 0, sigclass 0x00
>     digest algo 8, begin of digest 2e ec
>     hashed subpkt 33 len 21 (?)
>     hashed subpkt 2 len 4 (sig created 2017-02-25)
>     subpkt 16 len 8 (issuer key ID 21F968DEF747ABD7)
>     data: [4095 bits]
> gpgv: no signed data
> gpgv: can't hash datafile: file open error
> user@debian:~/Downloads/screen-4.5.1$
> -----------------------------------
The first line means there is no trustedkeys.gpg keyring. This is the
keyring that gpgv uses. Unlike the main gpg program, it assumes
everything on that keyring is a valid and fully trustable key.

Which one you decide to use to verify packages is ultimately a matter of
personal choice. If you wish to keep a separate keyring for the purpose
of verifying signatures on certain files such as software releases, then
perhaps gpgv is the better choice. If you think that's overkill and you
are content with one keyring for both correspondence and signature
verification, then the main gpg program will do. Debian itself uses gpgv
to verify updates but there is a specific reason for this, that being
that the apt and dpkg tools used by most users never need to sign or
encrypt anything, only verify signatures.

--
Shawn K. Quinn <[hidden email]>
http://www.rantroulette.com
http://www.skqrecordquest.com


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (836 bytes) Download Attachment
Loading...