gpg --verify之"Can't check signature: No public key"

自从XcodeGhost之后下载软件之后也会先验证一下md5sum,现在发现后面还有gpg签名,于是也开始学习一下。

  • gpg的文件在centos6.4上是默认安装的,其安装使用可以参照ruanyifeng的文章

这里主要讲一下怎么对下载的文件进行验证。

  • 首先当然是下载安装文件,这次下载的使用wso2的data service server 3.2.1,下载地址

  • 然后是打开gpg文件,如下图1所示,将这个文件也下载下来

1

  • 在term下面执行gpg --verify wso2dss-3.2.1.zip.asc,可以得到如下的提示

    gpg: Signature made Tue 13 May 2014 05:06:11 AM PDT using RSA key ID 2B2458BF
    gpg: Can't check signature: No public key
  • 原因是没有2B2458BF这个KEY ID的公钥,于是可以使用以下语句下载公钥

    $ gpg --search-keys 2B2458BF
    gpg: searching for "2B2458BF" from hkp server keys.gnupg.net
    gpg: keyserver timed out
    gpg: keyserver search failed: Keyserver error
  • 发现错误,可能是端口的问题,参照此文的解答,使用以下命令下载公钥。

    $ sudo gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 2B2458BF
    gpg: directory `/root/.gnupg' created
    gpg: new configuration file `/root/.gnupg/gpg.conf' created
    gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
    gpg: keyring `/root/.gnupg/secring.gpg' created
    gpg: keyring `/root/.gnupg/pubring.gpg' created
    gpg: requesting key 2B2458BF from hkp server keyserver.ubuntu.com
    gpg: /root/.gnupg/trustdb.gpg: trustdb created
    gpg: key 2B2458BF: public key "Anjana Fernando (LA_F) " imported
    gpg: no ultimately trusted keys found
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
  • 再进行校验,就可以得到成功的信息。

    $ sudo gpg --verify wso2dss-3.2.1.zip.asc 
    gpg: Signature made Tue 13 May 2014 05:06:11 AM PDT using RSA key ID 2B2458BF
    gpg: Good signature from "Anjana Fernando (LA_F) "
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 56EA 3B61 4CC4 7875 A865  0858 8E1A ACF4 2B24 58BF

posted on 2015-09-27 23:42  camash  阅读(13700)  评论(0编辑  收藏  举报

导航