Trying to verify a download signature with PGP, but getting “no signed data” when passing in the .asc...
I tried the following steps from Verifying Signatures on the Tor Project:
gpg.exe --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290
imported: 1
gpg.exe --fingerprint 0x4E2C6E8793298290
pub 4096R/93298290 2014-12-15 [expires: 2020-08-24]
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
sub 4096R/D9FF06E2 2018-05-26 [expires: 2020-09-12]
gpg.exe --verify C:UsersCynDesktoptorbrowser-install-win64-8.0.4_en-US.exe.asc
gpg: no signed data
gpg: can't hash datafile: No data
The file looks like this:
-----BEGIN PGP SIGNATURE-----
blah blah blah/E
=oakm
-----END PGP SIGNATURE-----
So what have I done wrong?
signature pgp
migrated from crypto.stackexchange.com Dec 22 '18 at 21:58
This question came from our site for software developers, mathematicians and others interested in cryptography.
add a comment |
I tried the following steps from Verifying Signatures on the Tor Project:
gpg.exe --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290
imported: 1
gpg.exe --fingerprint 0x4E2C6E8793298290
pub 4096R/93298290 2014-12-15 [expires: 2020-08-24]
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
sub 4096R/D9FF06E2 2018-05-26 [expires: 2020-09-12]
gpg.exe --verify C:UsersCynDesktoptorbrowser-install-win64-8.0.4_en-US.exe.asc
gpg: no signed data
gpg: can't hash datafile: No data
The file looks like this:
-----BEGIN PGP SIGNATURE-----
blah blah blah/E
=oakm
-----END PGP SIGNATURE-----
So what have I done wrong?
signature pgp
migrated from crypto.stackexchange.com Dec 22 '18 at 21:58
This question came from our site for software developers, mathematicians and others interested in cryptography.
add a comment |
I tried the following steps from Verifying Signatures on the Tor Project:
gpg.exe --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290
imported: 1
gpg.exe --fingerprint 0x4E2C6E8793298290
pub 4096R/93298290 2014-12-15 [expires: 2020-08-24]
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
sub 4096R/D9FF06E2 2018-05-26 [expires: 2020-09-12]
gpg.exe --verify C:UsersCynDesktoptorbrowser-install-win64-8.0.4_en-US.exe.asc
gpg: no signed data
gpg: can't hash datafile: No data
The file looks like this:
-----BEGIN PGP SIGNATURE-----
blah blah blah/E
=oakm
-----END PGP SIGNATURE-----
So what have I done wrong?
signature pgp
I tried the following steps from Verifying Signatures on the Tor Project:
gpg.exe --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290
imported: 1
gpg.exe --fingerprint 0x4E2C6E8793298290
pub 4096R/93298290 2014-12-15 [expires: 2020-08-24]
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
sub 4096R/D9FF06E2 2018-05-26 [expires: 2020-09-12]
gpg.exe --verify C:UsersCynDesktoptorbrowser-install-win64-8.0.4_en-US.exe.asc
gpg: no signed data
gpg: can't hash datafile: No data
The file looks like this:
-----BEGIN PGP SIGNATURE-----
blah blah blah/E
=oakm
-----END PGP SIGNATURE-----
So what have I done wrong?
signature pgp
signature pgp
asked Dec 22 '18 at 21:36
Dr-Bracket
migrated from crypto.stackexchange.com Dec 22 '18 at 21:58
This question came from our site for software developers, mathematicians and others interested in cryptography.
migrated from crypto.stackexchange.com Dec 22 '18 at 21:58
This question came from our site for software developers, mathematicians and others interested in cryptography.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
It's a detached signature and you need the data.
The Tor package signatures, like many other package signatures using PGP/GPG you will find on the net, are what PGP/GPG calls a detached signature -- the data is in one (often large) file, and the signature is in a second, separate (small) file. That's why there are two download links (or buttons) -- one for the actual software package and one for the separate/detached signature. In order to verify a detached signature on data you also need the data (and the public key); e.g. for Windows you need
torbrowser-install-win64-8.0.4_en-US.exe -- the (relevant) data file
torbrowser-install-win64-8.0.4_en-US.exe.asc -- the signature
Notice how the filenames have the same base, but the signature has .asc
added at the end. If you run gpg[.exe] --verify file.asc
where file.asc
is a detached signature, gpg automatically looks for the data in file
-- and fails if it's not there. (Similarly for file.sig
and file
for a binary aka 'unarmored' signature.)
The page you link actually says "Assuming you downloaded the package and its signature to your Desktop ..." Notice package AND its signature.
If you actually have the data file but under a different name (including a different directory), or if it's under the defaulted name but you want to be explicit (which the GPG manual now recommends), specify both filenames:
gpg[.exe] --verify sigfile.asc datafile
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1387013%2ftrying-to-verify-a-download-signature-with-pgp-but-getting-no-signed-data-whe%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
It's a detached signature and you need the data.
The Tor package signatures, like many other package signatures using PGP/GPG you will find on the net, are what PGP/GPG calls a detached signature -- the data is in one (often large) file, and the signature is in a second, separate (small) file. That's why there are two download links (or buttons) -- one for the actual software package and one for the separate/detached signature. In order to verify a detached signature on data you also need the data (and the public key); e.g. for Windows you need
torbrowser-install-win64-8.0.4_en-US.exe -- the (relevant) data file
torbrowser-install-win64-8.0.4_en-US.exe.asc -- the signature
Notice how the filenames have the same base, but the signature has .asc
added at the end. If you run gpg[.exe] --verify file.asc
where file.asc
is a detached signature, gpg automatically looks for the data in file
-- and fails if it's not there. (Similarly for file.sig
and file
for a binary aka 'unarmored' signature.)
The page you link actually says "Assuming you downloaded the package and its signature to your Desktop ..." Notice package AND its signature.
If you actually have the data file but under a different name (including a different directory), or if it's under the defaulted name but you want to be explicit (which the GPG manual now recommends), specify both filenames:
gpg[.exe] --verify sigfile.asc datafile
add a comment |
It's a detached signature and you need the data.
The Tor package signatures, like many other package signatures using PGP/GPG you will find on the net, are what PGP/GPG calls a detached signature -- the data is in one (often large) file, and the signature is in a second, separate (small) file. That's why there are two download links (or buttons) -- one for the actual software package and one for the separate/detached signature. In order to verify a detached signature on data you also need the data (and the public key); e.g. for Windows you need
torbrowser-install-win64-8.0.4_en-US.exe -- the (relevant) data file
torbrowser-install-win64-8.0.4_en-US.exe.asc -- the signature
Notice how the filenames have the same base, but the signature has .asc
added at the end. If you run gpg[.exe] --verify file.asc
where file.asc
is a detached signature, gpg automatically looks for the data in file
-- and fails if it's not there. (Similarly for file.sig
and file
for a binary aka 'unarmored' signature.)
The page you link actually says "Assuming you downloaded the package and its signature to your Desktop ..." Notice package AND its signature.
If you actually have the data file but under a different name (including a different directory), or if it's under the defaulted name but you want to be explicit (which the GPG manual now recommends), specify both filenames:
gpg[.exe] --verify sigfile.asc datafile
add a comment |
It's a detached signature and you need the data.
The Tor package signatures, like many other package signatures using PGP/GPG you will find on the net, are what PGP/GPG calls a detached signature -- the data is in one (often large) file, and the signature is in a second, separate (small) file. That's why there are two download links (or buttons) -- one for the actual software package and one for the separate/detached signature. In order to verify a detached signature on data you also need the data (and the public key); e.g. for Windows you need
torbrowser-install-win64-8.0.4_en-US.exe -- the (relevant) data file
torbrowser-install-win64-8.0.4_en-US.exe.asc -- the signature
Notice how the filenames have the same base, but the signature has .asc
added at the end. If you run gpg[.exe] --verify file.asc
where file.asc
is a detached signature, gpg automatically looks for the data in file
-- and fails if it's not there. (Similarly for file.sig
and file
for a binary aka 'unarmored' signature.)
The page you link actually says "Assuming you downloaded the package and its signature to your Desktop ..." Notice package AND its signature.
If you actually have the data file but under a different name (including a different directory), or if it's under the defaulted name but you want to be explicit (which the GPG manual now recommends), specify both filenames:
gpg[.exe] --verify sigfile.asc datafile
It's a detached signature and you need the data.
The Tor package signatures, like many other package signatures using PGP/GPG you will find on the net, are what PGP/GPG calls a detached signature -- the data is in one (often large) file, and the signature is in a second, separate (small) file. That's why there are two download links (or buttons) -- one for the actual software package and one for the separate/detached signature. In order to verify a detached signature on data you also need the data (and the public key); e.g. for Windows you need
torbrowser-install-win64-8.0.4_en-US.exe -- the (relevant) data file
torbrowser-install-win64-8.0.4_en-US.exe.asc -- the signature
Notice how the filenames have the same base, but the signature has .asc
added at the end. If you run gpg[.exe] --verify file.asc
where file.asc
is a detached signature, gpg automatically looks for the data in file
-- and fails if it's not there. (Similarly for file.sig
and file
for a binary aka 'unarmored' signature.)
The page you link actually says "Assuming you downloaded the package and its signature to your Desktop ..." Notice package AND its signature.
If you actually have the data file but under a different name (including a different directory), or if it's under the defaulted name but you want to be explicit (which the GPG manual now recommends), specify both filenames:
gpg[.exe] --verify sigfile.asc datafile
answered Dec 23 '18 at 2:50
dave_thompson_085dave_thompson_085
1,6191811
1,6191811
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1387013%2ftrying-to-verify-a-download-signature-with-pgp-but-getting-no-signed-data-whe%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown