GPG Verification using Kleopatra

[tms]

A little help please.

I've checked the forums and the two relevant posts don't cover my issue;

FreeNAS public key - .iso verification

Hello everyone, Per the manual I navigated to https://download.freenas.org/11.2/STABLE/latest/ and downloaded 11.2-U6. I performed the sha256 of the file and verified the hash. I noticed the FreeNAS-11.2-U6.iso.gpg file but cannot find a FreeNAS public signing key to verify the hash. How do I...

www.truenas.com

PGP Verification: import import the public key failed [solved]

Hi, I have trouble importing pgp public key From documentation section 2.1.1.1. PGP Verification gpg --keyserver sks-keyservers.net --recv-keys 0xC8D62DEF767C1DB0DFF4E6EC358EAA9112CF7946 gpg: keyserver receive failed: No keyserver available any idea?

www.truenas.com

I'm using Kleopatra to verify my download, but it doesn't verify it. It instead gives me this;

I've never used this software before, and do not know if I'm doing anything wrong. So any help would be greatly appreciated.

 

[sretalla]

What is it that you really want to do?

If you want to check that the file you have locally is the same as the one on the server, don't use the .gpg file for that, use the .sha256 file and compare the content to a locally generated sha256 hash on your local file (sha256sum /mnt/path/to/file.iso).

If you're trying to see if the file on the server has been compromised by a nefarious person with no access to the private key of iXSystems... that's a whole different story and I'm not sure that can really be done by you.

 

[tms]

@sretalla

Thanks for that. Yes, I want to check that the file I have locally is the same as the one on the server.

I've already verified the .sha256 matches, so that is good enough then. I don't know why they have that step (2.1.1.1. PGP Verification) in the user guide if it's not necessary.

 

[Patrick M. Hausen]

The current documentation is here and the method described in that document works:

Code:

$ gpg --keyserver keys.openpgp.org --recv-keys 0xc8d62def767c1db0dff4e6ec358eaa9112cf7946
gpg: /Users/pmh/.gnupg/trustdb.gpg: trust-db erzeugt
gpg: Schlüssel 358EAA9112CF7946: Öffentlicher Schlüssel "IX SecTeam <security-officer@ixsystems.com>" importiert
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:                              importiert: 1
$ cd Downloads/
$  gpg --verify TrueNAS-13.0-U4.iso.gpg TrueNAS-13.0-U4.iso
gpg: Signatur vom Di 28 Feb 17:09:28 2023 CET
gpg:                mittels RSA-Schlüssel C8D62DEF767C1DB0DFF4E6EC358EAA9112CF7946
gpg: Korrekte Signatur von "IX SecTeam <security-officer@ixsystems.com>" [unbekannt]
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = C8D6 2DEF 767C 1DB0 DFF4  E6EC 358E AA91 12CF 7946

(Sorry about the German locale - it says "correct signature by IX SecTeam ..." in the fourth line from the bottom.)