如何验证下载的文件与.sig文件？ [英] How to verify downloaded file with .sig file?

问题描述

当我下载GCC时，它还有一个 .sig 文件，我认为它是用来验证下载的文件。
（我从此处下载了GCC）。

When I download GCC, it also has a .sig file, and I think it is provided to verify downloaded file. (I downloaded GCC from here).

但我不知道如何使用它。我试过 gpg ，但它抱怨公钥。

But I can't figure out how should I use it. I tried gpg, but it complains about public key.

[root@localhost src]# gpg --verify gcc-4.7.2.tar.gz.sig gcc-4.7.2.tar.gz
gpg: Signature made Thu 20 Sep 2012 07:30:44 PM KST using DSA key ID C3C45C06
gpg: Can't check signature: No public key
[root@localhost src]# 

如何使用 .sig 文件验证下载的文件？

How can I verify downloaded file with .sig file?

推荐答案

您需要导入公钥： C3C45C06

可以分三步完成。

1）查找公钥ID：

$ gpg gcc-4.7.2.tar.gz.sig 
gpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06
gpg: Can't check signature: No public key

2）从密钥服务器导入公钥。通常不需要选择密钥服务器，但可以通过 - keyserver< server> 来完成。 密钥服务器示例

2) import the public key from key server. It's usually not needed to choose key server, but it can be done with --keyserver <server>. Keyserver examples.

$ gpg --recv-key C3C45C06
gpg: requesting key C3C45C06 from hkp server keys.gnupg.net
gpg: key C3C45C06: public key "Jakub Jelinek <jakub@redhat.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

3）验证签名：

$ gpg gcc-4.7.2.tar.gz.sig 
gpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06
gpg: Good signature from "Jakub Jelinek <jakub@redhat.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29  3709 A328 C3A2 C3C4 5C06

说好签名。

gpg：警告：此密钥未通过可信签名！

gpg: WARNING: This key is not certified with a trusted signature!

是另一个问题;）

这篇关于如何验证下载的文件与.sig文件？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！