Thanks, Wayne. I was using Firefox.
Could you tell me what I am doing wrong with this signature?
$ ll rsync-2.6.2.tar.gz.sig rsync-2.6.2.tar.gz
-rw------- 1 dking users 515402 Jun 16 09:36 rsync-2.6.2.tar.gz
-rw------- 1 dking users 65 Jun 16 14:49
rsync-2.6.2.tar.gz.sig
$ gpg --verify rsync-2.6.2.tar.gz.sig rsync-2.6.2.tar.gz
gpg: Signature made Fri Apr 30 14:04:25 2004 EDT using DSA key ID 4B96A8C5
gpg: Can't check signature: public key not found
$ gpg --list-keys
...
pub 1024D/189C0E94 2000-02-25 Dave Dykstra <dwd@bell-labs.com>
I think this is right!
$ cat rsync-2.6.2.tar.gz.sig
?@??)l
??K???M?tA{??Nr&ED????N?????W4??}?}?
?QP?
If I understand correctly, the sig file should be ASCII readable.
A. Daniel King, System Analyst
Fiserv - Atlanta Center
HP-UX, Solaris, Linux
On Wed, Jun 16, 2004 at 04:35:39PM -0400, King, Daniel wrote:> Could you tell me what I am doing wrong with this signature?You need to fetch the key so gpg can check the signature (I signed the file, not Dave). The key is available through the public keyserver network. One way to get it is to do a manual key receive: gpg --keyserver=x-hkp://pgp.mit.edu --recv-keys 4B96A8C5 Another is to configure gpg to do automatic key retrievals by adding these lines to its config file (substitute whatever keyserver you like): keyserver x-hkp://pgp.mit.edu keyserver-options auto-key-retrieve Then it would automatically fetch the key when you do the gpg --verify. Finally, if you need to get the key to a system that is not on the Internet, you can grab a copy of the key via a webbrowser by fetching this URL: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B96A8C5 ... and then transport the returned text to the appropriate system and import it via gpg. ..wayne..
Thanks, Wayne. Again. Unfortunately, on the inside of our firewall, even the web fetch of the signature is still failing. However, I learned just yesterday how to access a non-firewalled machine outside our site. Importing the signature went quickly thereafter. $ gpg --verify rsync-2.6.2.tar.gz.sig rsync-2.6.2.tar.gz gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Fri Apr 30 14:04:25 2004 EDT using DSA key ID 4B96A8C5 gpg: Good signature from "Wayne Davison <wayned@samba.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 0048 C8B0 26D4 C96F 0E58 9C2F 6C85 9FB1 4B96 A8C5 I don't yet have a "web of trust;" should I be concerned about the "not certified" issue above? A. Daniel King, System Analyst Fiserv - Atlanta Center HP-UX, Solaris, Linux