如何使用 .sig 文件验证下载的文件? [英] How to verify downloaded file with .sig file?

问题描述

当我下载 GCC 时，它还有一个 .sig 文件，我认为它是用来验证下载文件的.(我从这里下载了GCC).

When I download GCC, it also has a .sig file, and I think it is provided to verify downloaded file. (I downloaded GCC from here).

但我不知道应该如何使用它.我试过 gpg，但它抱怨公钥.

But I can't figure out how should I use it. I tried gpg, but it complains about public key.

[root@localhost src]# gpg --verify gcc-4.7.2.tar.gz.sig gcc-4.7.2.tar.gz
gpg: Signature made Thu 20 Sep 2012 07:30:44 PM KST using DSA key ID C3C45C06
gpg: Can't check signature: No public key
[root@localhost src]# 

如何使用 .sig 文件验证下载的文件?

How can I verify downloaded file with .sig file?

推荐答案

需要导入公钥:C3C45C06

可以分三步完成.

1. 查找公钥 ID:

1. find public key ID:

$ gpg gcc-4.7.2.tar.gz.siggpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06gpg:无法检查签名:没有公钥

$ gpg gcc-4.7.2.tar.gz.sig gpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06 gpg: Can't check signature: No public key

从密钥服务器导入公钥.通常不需要选择密钥服务器，但可以通过 --keyserver 来完成.密钥服务器示例.

import the public key from key server. It's usually not needed to choose key server, but it can be done with --keyserver <server>. Keyserver examples.

$ gpg --recv-key C3C45C06gpg:从 hkp 服务器 keys.gnupg.net 请求密钥 C3C45C06gpg:密钥 C3C45C06:公钥Jakub Jelinek jakub@redhat.com"进口的gpg:未找到最终受信任的密钥gpg:处理的总数:1gpg:导入:1

$ gpg --recv-key C3C45C06 gpg: requesting key C3C45C06 from hkp server keys.gnupg.net gpg: key C3C45C06: public key "Jakub Jelinek jakub@redhat.com" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1

如果命令错误超时，您可以位于阻止默认 gpg 端口的防火墙后面.尝试使用带有端口 80 的 `--keyserver' 选项(几乎所有防火墙都允许端口 80 b/c 进行网页浏览):

If the command error's out with a timeout, you may be behind a firewall that is blocking the default gpg port. Try using the `--keyserver' option with port 80 (almost all firewalls allow port 80 b/c of web browsing):

$ gpg --keyserver hkp://${HOSTNAME}:80 --recv-keys ${KEY_ID}

1. 验证签名:

1. verify signature:

$ gpg gcc-4.7.2.tar.gz.siggpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06gpg:来自Jakub Jelinek jakub@redhat.com"的良好签名[未知]gpg:警告:此密钥未经可信签名认证！gpg:没有迹象表明签名属于所有者.主键指纹:33C2 35A3 4C46 AA3F FB29 3709 A328 C3A2 C3C4 5C06

$ gpg gcc-4.7.2.tar.gz.sig gpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06 gpg: Good signature from "Jakub Jelinek jakub@redhat.com" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29 3709 A328 C3A2 C3C4 5C06

输出应显示良好的签名".

The output should say "Good signature".

gpg:警告:此密钥未经过可信签名认证！

gpg: WARNING: This key is not certified with a trusted signature!

是另一个问题；)

这篇关于如何使用 .sig 文件验证下载的文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！