我从GitHub下载了一个deb包,具体是gcm-linux_amd64.2.0.785.deb
如何判断包裹是否已签名以及如何验证签名?
我尝试了一些 dpkg 命令。这些似乎表明该包是用密钥 BE1229CF 签名的。
> dpkg-sig --verify gcm-linux_amd64.2.0.785.deb
Processing gcm-linux_amd64.2.0.785.deb...
UNKNOWNSIG _gpgorigin BE1229CF
> debsig-verify gcm-linux_amd64.2.0.785.deb
debsig: Could not open Origin directory /etc/debsig/policies/EB3E94ADBE1229CF: No such file or directory
该密钥发布于 https://packages.microsoft.com/keys/microsoft.asc
> gpg microsoft.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa2048 2015-10-28 [SC]
BC528686B50D79E339D3721CEB3E94ADBE1229CF
uid Microsoft (Release signing) <[email protected]>
但我还是不知道如何验证
啊哈,gpg --import microsoft.asc它识别出密钥后,但 BADSIG 仍然失败。
> dpkg-sig --verify gcm-linux_amd64.2.0.785.deb
Processing gcm-linux_amd64.2.0.785.deb...
BADSIG _gpgorigin