Linux下使用.sig文件验证签名

文件验证签名"/>

Linux下使用.sig文件验证签名

以 libunwind-1.70.tar.gz 和 libunwind-1.70.tar.gz.sig 为例

1. 将 libunwind-1.70.tar.gz 和 libunwind-1.70.tar.gz.sig 放在同一路径下
   

2. 使用gpg进行验证，此时输出如注释所示（no public key）

$ gpg --verify libunwind-1.70.tar.gz.sig libunwind-1.70.tar.gz
# output:
# gpg: signature made 2023年06月04日 星期日 2时20分45秒 CST
# gpg:              using RSA kev OAOFF845B7DB3427
# gpg:Can't check signature: No public key

3. 根据gpg提示的key找到公钥，此时提示 new key but contains no user ID - skipped

$ gpg --recv-keys 0x0A0FF845B7DB3427
# output:
# gpg:key 0A0FF845B7DB3427: new key but contains no user ID - skipped
# gpg:Total number processed: 1
# gpg:          w/o user IDs: 1

4. 切换服务器

$ gpg --key-server hkp://pgp.mit.edu --recv-keys 0x0A0FF845B7DB3427
# output:
# gpg: key 0A0FF845B7DB3427: public key "stephen M. Webb <stephen.webbabregmasoft.ca>" imported
# gpg:Total number processed: 1
# gpg:              imported: 1

5. 再次验证

$ gpg --verify --verbose libunwind-1.70,tar .gz.sig libunwind1.70.tar.gz
# output:
# gpg:              using RSA key AOFF845B7DB3427
# gpg:using pgp trust model
# gpg:Good signature from "stephen M. Webb stephen.webbabregmasoft.ca>" [unknown]
# gpg:                aka "stephen M.Webb <stephen@ubuntu>" [unknown]
# gpg:                aka "stephen M.Webb <stephen.webbacanonical>" [unknown]
# gpg:                aka "[jpeg image of size 3674]" [unknown]
# gpg:WARNING: This key is not certified with a trusted signature!
# gpg:  There is no indication that the signature belongs to the owner

• 参考链接：
• .html