Hi,
It is my understanding that the [gpg] and [md5] next to a binary file to download a program such as Apache is for the purpose of verifying the integrity of the download. My question is how do you do that?
gpg httpd-2.2.2..tar.gz returns an error message:
"No valid Open PGP data found.
processing message failed."
Does this mean the file is not OK?
What does it mean and what can be done about it?
Is it important to verify a file that has been downloaded? If so how?
Thanks,
RF
gpg verify download
Moderators: Website/Forum Admins, Other/Off Topic Moderators
A md5 hash enables you to verify the integrity of the file you've just downloaded. To use it, download the *.md5 file that goes with the file and then use:
The gpg signature allows you to verify that the file has been created by a trusted authority. To use it, you have to download the public key of this authority first. When software publishers offer *.sig or *.asc files, they usually explain you how to do that. Then, you can verify the signature of the downloaded file:
Apache has a very nice page about gpg: http://httpd.apache.org/dev/verification.html
Note that I couldn't access apache.org at all while writing this. Google has cached the page in case you can't access it either.
Code: Select all
md5sum --check file.md5Code: Select all
gpg --verify file.sigNote that I couldn't access apache.org at all while writing this. Google has cached the page in case you can't access it either.
Thanks for the reply.
Below is what I did and the responses:
rf@P4-3200RF:~$ md5sum -c httpd-2.2.2.tar.bz2.asc
md5sum: no files checked
rf@P4-3200RF:~$ gpg httpd-2.2.2.tar.bz2.asc
gpg: keyring `/home/rf/.gnupg/secring.gpg' created
Detached signature.
Please enter name of data file: httpd-2.2.2.tar.bz2.asc
gpg: Signature made Fri 21 Apr 2006 09:59:05 PM MDT using DSA key ID 42721F00
gpg: Can't check signature: public key not found
rf@P4-3200RF:~$ pgp --keyserver pgpkeys.mit.edu --recv-key 42721F00
bash: pgp: command not found
rf@P4-3200RF:~$ gpg --keyserver pgpkeys.mit.edu --recv-key 42721F00
gpg: key 42721F00: duplicated user ID detected - merged
gpg: /home/rf/.gnupg/trustdb.gpg: trustdb created
gpg: key 42721F00: public key "Paul Querna <chip>" imported
gpg: Total number processed: 1
gpg: imported: 1
rf@P4-3200RF:~$ gpg httpd-2.2.2.tar.bz2.asc
Detached signature.
Please enter name of data file: httpd-2.2.2.tar.bz2.asc
gpg: Signature made Fri 21 Apr 2006 09:59:05 PM MDT using DSA key ID 42721F00
gpg: BAD signature from "Paul Querna <chip>"
rf@P4-3200RF:~$ gpg --fingerprint 42721F00
pub 1024D/42721F00 2004-01-17 Paul Querna <chip>
Key fingerprint = 39F6 691A 0ECF 0C50 E8BB 849C F788 75F6 4272 1F00
uid Paul Querna <chip>
uid Paul Querna <chip>
uid Paul Querna <pquerna>
sub 2048g/7A2BE310 2004-01-17
The bottom line is - I am still not sure if this all means the downloaded file is OK or not!
When I click on the [PGP] {Md5] links I don't get a downloaded file - just another page on my browser:
Md5 link shows me this:
9c759a9744436de6a6aa2ddbc49d6e81 httpd-2.2.2.tar.bz2
PGP link shows me this:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQBESaoJ94h19kJyHwARAn3mAJ4wv+oU/x1jb8dyE7yPLRvWHfZRuwCdE6tn
5GqYf9/xvObtFvg5sLpRJMs=
=h6Al
-----END PGP SIGNATURE-----
Then I can copy either of these two images into a text file - which somehow does not seem to be the right thing to do, and I am not sure what it means or proves!
I was able to see (and print) the Verifying Apache HTTP Server Releases that was helpful but still left me unsure as to whether my download was good or not!
Thanks for your help.
RF
Below is what I did and the responses:
rf@P4-3200RF:~$ md5sum -c httpd-2.2.2.tar.bz2.asc
md5sum: no files checked
rf@P4-3200RF:~$ gpg httpd-2.2.2.tar.bz2.asc
gpg: keyring `/home/rf/.gnupg/secring.gpg' created
Detached signature.
Please enter name of data file: httpd-2.2.2.tar.bz2.asc
gpg: Signature made Fri 21 Apr 2006 09:59:05 PM MDT using DSA key ID 42721F00
gpg: Can't check signature: public key not found
rf@P4-3200RF:~$ pgp --keyserver pgpkeys.mit.edu --recv-key 42721F00
bash: pgp: command not found
rf@P4-3200RF:~$ gpg --keyserver pgpkeys.mit.edu --recv-key 42721F00
gpg: key 42721F00: duplicated user ID detected - merged
gpg: /home/rf/.gnupg/trustdb.gpg: trustdb created
gpg: key 42721F00: public key "Paul Querna <chip>" imported
gpg: Total number processed: 1
gpg: imported: 1
rf@P4-3200RF:~$ gpg httpd-2.2.2.tar.bz2.asc
Detached signature.
Please enter name of data file: httpd-2.2.2.tar.bz2.asc
gpg: Signature made Fri 21 Apr 2006 09:59:05 PM MDT using DSA key ID 42721F00
gpg: BAD signature from "Paul Querna <chip>"
rf@P4-3200RF:~$ gpg --fingerprint 42721F00
pub 1024D/42721F00 2004-01-17 Paul Querna <chip>
Key fingerprint = 39F6 691A 0ECF 0C50 E8BB 849C F788 75F6 4272 1F00
uid Paul Querna <chip>
uid Paul Querna <chip>
uid Paul Querna <pquerna>
sub 2048g/7A2BE310 2004-01-17
The bottom line is - I am still not sure if this all means the downloaded file is OK or not!
When I click on the [PGP] {Md5] links I don't get a downloaded file - just another page on my browser:
Md5 link shows me this:
9c759a9744436de6a6aa2ddbc49d6e81 httpd-2.2.2.tar.bz2
PGP link shows me this:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQBESaoJ94h19kJyHwARAn3mAJ4wv+oU/x1jb8dyE7yPLRvWHfZRuwCdE6tn
5GqYf9/xvObtFvg5sLpRJMs=
=h6Al
-----END PGP SIGNATURE-----
Then I can copy either of these two images into a text file - which somehow does not seem to be the right thing to do, and I am not sure what it means or proves!
I was able to see (and print) the Verifying Apache HTTP Server Releases that was helpful but still left me unsure as to whether my download was good or not!
Thanks for your help.
RF
read the reply fully
first, do not use md5sum on asc files, use md5sum on md5 files (right click, save target as if md5 files are opening in your browser rather than saving to a file)
`md5sum -c httpd-2.2.2.tar.bz2.md5`
`gpg --verify httpd-2.2.2.tar.bz2.asc`
here's an example of creating and checking an md5 file:
Gavin@munky ~
$ md5sum john-1.6.37.tar.gz > john-1.6.37.tar.gz.md5
Gavin@munky ~
$ cat john-1.6.37.tar.gz.md5
9403233b640927295c05b0564ff1f678 *john-1.6.37.tar.gz
Gavin@munky ~
$ md5sum -c john-1.6.37.tar.gz.md5
john-1.6.37.tar.gz: OK
first, do not use md5sum on asc files, use md5sum on md5 files (right click, save target as if md5 files are opening in your browser rather than saving to a file)
`md5sum -c httpd-2.2.2.tar.bz2.md5`
`gpg --verify httpd-2.2.2.tar.bz2.asc`
here's an example of creating and checking an md5 file:
Gavin@munky ~
$ md5sum john-1.6.37.tar.gz > john-1.6.37.tar.gz.md5
Gavin@munky ~
$ cat john-1.6.37.tar.gz.md5
9403233b640927295c05b0564ff1f678 *john-1.6.37.tar.gz
Gavin@munky ~
$ md5sum -c john-1.6.37.tar.gz.md5
john-1.6.37.tar.gz: OK
In God we trust,
Everyone else must have an X.509 certificate.
Everyone else must have an X.509 certificate.
munkey,
Thank you. Your help is much appreciated.
I have been able to verify the two downloaded files I needed to. This is much appreciated.
My system is not quite as friendly as your is. When I
md5sum -c file.tar.bz2.md5
I get nothing in response.
However if I compare the
cat file.tar.bz2 number with the posted number on the download URL it is the same, so I am confident that the file is OK
Where there is a dm5 link posted - following your advice gave a satisfactory way to compare numbers.
Thank you.
RF
Thank you. Your help is much appreciated.
I have been able to verify the two downloaded files I needed to. This is much appreciated.
My system is not quite as friendly as your is. When I
md5sum -c file.tar.bz2.md5
I get nothing in response.
However if I compare the
cat file.tar.bz2 number with the posted number on the download URL it is the same, so I am confident that the file is OK
Where there is a dm5 link posted - following your advice gave a satisfactory way to compare numbers.
Thank you.
RF
Who is online
Users browsing this forum: No registered users and 6 guests