无法在 Linux 中验证“PGP 签名消息”

tag-icon tag-icon linux gnupg pgp
无法在 Linux 中验证“PGP 签名消息”

gpg 版本 2.1.18;Debian Stretch

公钥已从以下位置导入https://cygwin.com/key/pubring.asc

我从以下网址下载了一对 cygwin 安装文件https://cygwin.com/install.html并且他们通过了验证测试:

gpg --verify setup-x86_64.exe.sig setup-x86_64.exe没有产生任何不利结果...

当时我很高兴,应该就此打住。然而,我注意到 安装和更新 Cygwin 软件包页面中签名密钥转换部分,指向Cygwin 公告邮件列表https://sourceware.org/pipermail/cygwin-announce/2020-March/009447.html)。

好吧,尽管我尽力了,但我无法以我认为正常的方式验证所述消息 - 即我将所述消息保存到文本文件中(cygwin.asc),从-----开始 PGP 签名消息-----行并以-----结束 PGP 公钥块-----线,然后跑

gpg --verify cygwin.asc

其结果是:

gpg: Signature made Fri 13 Mar 2020 09:44:49 AM MDT
gpg:                using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: Good signature from "Cygwin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA
gpg: Signature made Fri 13 Mar 2020 09:44:49 AM MDT
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5640 5CF6 FCC8 1574 682A  5D56 1A69 8DE9 E2E5 6300
gpg: verify signatures failed: Unexpected error

我唯一能消除的办法就是说

gpg: verify signatures failed: Unexpected error

尖叫声是说cygwin.asc文件中,截断消息的公钥部分(从而创建cygwin-无公钥.asc文件)。

然后:

$ gpg --verify cygwin-no-pubkey.asc 
gpg: Signature made Fri 13 Mar 2020 09:44:49 AM MDT
gpg:                using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: Good signature from "Cygwin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5  9232 A9A2 62FF 6760 41BA
gpg: Signature made Fri 13 Mar 2020 09:44:49 AM MDT
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5640 5CF6 FCC8 1574 682A  5D56 1A69 8DE9 E2E5 6300

对我来说这看起来很好!

这是怎么回事?为什么我必须从主题消息中删除公钥块才能实现善意?我找了好几个小时,包括这里沒有快樂!:

答案1

最后一行说明遇到的gpg: verify signatures failed: Unexpected error结果gpg --verify非签名OpenPGP 数据(公钥块),但这并不否定之前的输出,表明签名已被成功验证。

这是预期的行为。Cygwin 可以将其包含在指示(即把明文和公钥块保存在同一个文件中)一份声明提醒用户注意这一点。

相关内容