当我下载 GCC 时,它还有一个 .sig 文件,我认为它是用来验证下载文件的.(我从这里下载了GCC).
When I download GCC, it also has a .sig file, and I think it is provided to verify downloaded file. (I downloaded GCC from here).
但我不知道应该如何使用它.我试过 gpg,但它抱怨公钥.
But I can't figure out how should I use it. I tried gpg, but it complains about public key.
[root@localhost src]# gpg --verify gcc-4.7.2.tar.gz.sig gcc-4.7.2.tar.gz gpg: Signature made Thu 20 Sep 2012 07:30:44 PM KST using DSA key ID C3C45C06 gpg: Can't check signature: No public key [root@localhost src]#如何使用 .sig 文件验证下载的文件?
How can I verify downloaded file with .sig file?
推荐答案需要导入公钥:C3C45C06
可以分三步完成.
查找公钥 ID:
find public key ID:
$ gpg gcc-4.7.2.tar.gz.siggpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06gpg:无法检查签名:没有公钥
$ gpg gcc-4.7.2.tar.gz.sig gpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06 gpg: Can't check signature: No public key
从密钥服务器导入公钥.通常不需要选择密钥服务器,但可以通过 --keyserver 来完成.密钥服务器示例.
import the public key from key server. It's usually not needed to choose key server, but it can be done with --keyserver <server>. Keyserver examples.
$ gpg --recv-key C3C45C06gpg:从 hkp 服务器 keys.gnupg 请求密钥 C3C45C06gpg:密钥 C3C45C06:公钥Jakub Jelinek jakub@redhat"进口的gpg:未找到最终受信任的密钥gpg:处理的总数:1gpg:导入:1
$ gpg --recv-key C3C45C06 gpg: requesting key C3C45C06 from hkp server keys.gnupg gpg: key C3C45C06: public key "Jakub Jelinek jakub@redhat" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1
如果命令错误超时,您可以位于阻止默认 gpg 端口的防火墙后面.尝试使用带有端口 80 的 `--keyserver' 选项(几乎所有防火墙都允许端口 80 b/c 进行网页浏览):
If the command error's out with a timeout, you may be behind a firewall that is blocking the default gpg port. Try using the `--keyserver' option with port 80 (almost all firewalls allow port 80 b/c of web browsing):
$ gpg --keyserver hkp://${HOSTNAME}:80 --recv-keys ${KEY_ID}验证签名:
verify signature:
$ gpg gcc-4.7.2.tar.gz.siggpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06gpg:来自Jakub Jelinek jakub@redhat"的良好签名[未知]gpg:警告:此密钥未经可信签名认证!gpg:没有迹象表明签名属于所有者.主键指纹:33C2 35A3 4C46 AA3F FB29 3709 A328 C3A2 C3C4 5C06
$ gpg gcc-4.7.2.tar.gz.sig gpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06 gpg: Good signature from "Jakub Jelinek jakub@redhat" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29 3709 A328 C3A2 C3C4 5C06
输出应显示良好的签名".
The output should say "Good signature".
gpg:警告:此密钥未经过可信签名认证!
gpg: WARNING: This key is not certified with a trusted signature!
是另一个问题;)
更多推荐
如何使用 .sig 文件验证下载的文件?
发布评论