Trying to verify a download signature with PGP, but getting “no signed data” when passing in the .asc...












1















I tried the following steps from Verifying Signatures on the Tor Project:



gpg.exe --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290



  imported: 1


gpg.exe --fingerprint 0x4E2C6E8793298290



  pub   4096R/93298290 2014-12-15 [expires: 2020-08-24]
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
sub 4096R/D9FF06E2 2018-05-26 [expires: 2020-09-12]


gpg.exe --verify C:UsersCynDesktoptorbrowser-install-win64-8.0.4_en-US.exe.asc



  gpg: no signed data
gpg: can't hash datafile: No data


The file looks like this:



-----BEGIN PGP SIGNATURE-----



blah blah blah/E
=oakm



-----END PGP SIGNATURE-----



So what have I done wrong?










share|improve this question













migrated from crypto.stackexchange.com Dec 22 '18 at 21:58


This question came from our site for software developers, mathematicians and others interested in cryptography.




















    1















    I tried the following steps from Verifying Signatures on the Tor Project:



    gpg.exe --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290



      imported: 1


    gpg.exe --fingerprint 0x4E2C6E8793298290



      pub   4096R/93298290 2014-12-15 [expires: 2020-08-24]
    Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
    uid [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
    sub 4096R/D9FF06E2 2018-05-26 [expires: 2020-09-12]


    gpg.exe --verify C:UsersCynDesktoptorbrowser-install-win64-8.0.4_en-US.exe.asc



      gpg: no signed data
    gpg: can't hash datafile: No data


    The file looks like this:



    -----BEGIN PGP SIGNATURE-----



    blah blah blah/E
    =oakm



    -----END PGP SIGNATURE-----



    So what have I done wrong?










    share|improve this question













    migrated from crypto.stackexchange.com Dec 22 '18 at 21:58


    This question came from our site for software developers, mathematicians and others interested in cryptography.


















      1












      1








      1








      I tried the following steps from Verifying Signatures on the Tor Project:



      gpg.exe --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290



        imported: 1


      gpg.exe --fingerprint 0x4E2C6E8793298290



        pub   4096R/93298290 2014-12-15 [expires: 2020-08-24]
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
      uid [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
      sub 4096R/D9FF06E2 2018-05-26 [expires: 2020-09-12]


      gpg.exe --verify C:UsersCynDesktoptorbrowser-install-win64-8.0.4_en-US.exe.asc



        gpg: no signed data
      gpg: can't hash datafile: No data


      The file looks like this:



      -----BEGIN PGP SIGNATURE-----



      blah blah blah/E
      =oakm



      -----END PGP SIGNATURE-----



      So what have I done wrong?










      share|improve this question














      I tried the following steps from Verifying Signatures on the Tor Project:



      gpg.exe --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290



        imported: 1


      gpg.exe --fingerprint 0x4E2C6E8793298290



        pub   4096R/93298290 2014-12-15 [expires: 2020-08-24]
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
      uid [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
      sub 4096R/D9FF06E2 2018-05-26 [expires: 2020-09-12]


      gpg.exe --verify C:UsersCynDesktoptorbrowser-install-win64-8.0.4_en-US.exe.asc



        gpg: no signed data
      gpg: can't hash datafile: No data


      The file looks like this:



      -----BEGIN PGP SIGNATURE-----



      blah blah blah/E
      =oakm



      -----END PGP SIGNATURE-----



      So what have I done wrong?







      signature pgp






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Dec 22 '18 at 21:36







      Dr-Bracket











      migrated from crypto.stackexchange.com Dec 22 '18 at 21:58


      This question came from our site for software developers, mathematicians and others interested in cryptography.






      migrated from crypto.stackexchange.com Dec 22 '18 at 21:58


      This question came from our site for software developers, mathematicians and others interested in cryptography.
























          1 Answer
          1






          active

          oldest

          votes


















          2














          It's a detached signature and you need the data.



          The Tor package signatures, like many other package signatures using PGP/GPG you will find on the net, are what PGP/GPG calls a detached signature -- the data is in one (often large) file, and the signature is in a second, separate (small) file. That's why there are two download links (or buttons) -- one for the actual software package and one for the separate/detached signature. In order to verify a detached signature on data you also need the data (and the public key); e.g. for Windows you need



          torbrowser-install-win64-8.0.4_en-US.exe -- the (relevant) data file 
          torbrowser-install-win64-8.0.4_en-US.exe.asc -- the signature


          Notice how the filenames have the same base, but the signature has .asc added at the end. If you run gpg[.exe] --verify file.asc where file.asc is a detached signature, gpg automatically looks for the data in file -- and fails if it's not there. (Similarly for file.sig and file for a binary aka 'unarmored' signature.)



          The page you link actually says "Assuming you downloaded the package and its signature to your Desktop ..." Notice package AND its signature.



          If you actually have the data file but under a different name (including a different directory), or if it's under the defaulted name but you want to be explicit (which the GPG manual now recommends), specify both filenames:



           gpg[.exe] --verify sigfile.asc datafile





          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1387013%2ftrying-to-verify-a-download-signature-with-pgp-but-getting-no-signed-data-whe%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown
























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            2














            It's a detached signature and you need the data.



            The Tor package signatures, like many other package signatures using PGP/GPG you will find on the net, are what PGP/GPG calls a detached signature -- the data is in one (often large) file, and the signature is in a second, separate (small) file. That's why there are two download links (or buttons) -- one for the actual software package and one for the separate/detached signature. In order to verify a detached signature on data you also need the data (and the public key); e.g. for Windows you need



            torbrowser-install-win64-8.0.4_en-US.exe -- the (relevant) data file 
            torbrowser-install-win64-8.0.4_en-US.exe.asc -- the signature


            Notice how the filenames have the same base, but the signature has .asc added at the end. If you run gpg[.exe] --verify file.asc where file.asc is a detached signature, gpg automatically looks for the data in file -- and fails if it's not there. (Similarly for file.sig and file for a binary aka 'unarmored' signature.)



            The page you link actually says "Assuming you downloaded the package and its signature to your Desktop ..." Notice package AND its signature.



            If you actually have the data file but under a different name (including a different directory), or if it's under the defaulted name but you want to be explicit (which the GPG manual now recommends), specify both filenames:



             gpg[.exe] --verify sigfile.asc datafile





            share|improve this answer




























              2














              It's a detached signature and you need the data.



              The Tor package signatures, like many other package signatures using PGP/GPG you will find on the net, are what PGP/GPG calls a detached signature -- the data is in one (often large) file, and the signature is in a second, separate (small) file. That's why there are two download links (or buttons) -- one for the actual software package and one for the separate/detached signature. In order to verify a detached signature on data you also need the data (and the public key); e.g. for Windows you need



              torbrowser-install-win64-8.0.4_en-US.exe -- the (relevant) data file 
              torbrowser-install-win64-8.0.4_en-US.exe.asc -- the signature


              Notice how the filenames have the same base, but the signature has .asc added at the end. If you run gpg[.exe] --verify file.asc where file.asc is a detached signature, gpg automatically looks for the data in file -- and fails if it's not there. (Similarly for file.sig and file for a binary aka 'unarmored' signature.)



              The page you link actually says "Assuming you downloaded the package and its signature to your Desktop ..." Notice package AND its signature.



              If you actually have the data file but under a different name (including a different directory), or if it's under the defaulted name but you want to be explicit (which the GPG manual now recommends), specify both filenames:



               gpg[.exe] --verify sigfile.asc datafile





              share|improve this answer


























                2












                2








                2







                It's a detached signature and you need the data.



                The Tor package signatures, like many other package signatures using PGP/GPG you will find on the net, are what PGP/GPG calls a detached signature -- the data is in one (often large) file, and the signature is in a second, separate (small) file. That's why there are two download links (or buttons) -- one for the actual software package and one for the separate/detached signature. In order to verify a detached signature on data you also need the data (and the public key); e.g. for Windows you need



                torbrowser-install-win64-8.0.4_en-US.exe -- the (relevant) data file 
                torbrowser-install-win64-8.0.4_en-US.exe.asc -- the signature


                Notice how the filenames have the same base, but the signature has .asc added at the end. If you run gpg[.exe] --verify file.asc where file.asc is a detached signature, gpg automatically looks for the data in file -- and fails if it's not there. (Similarly for file.sig and file for a binary aka 'unarmored' signature.)



                The page you link actually says "Assuming you downloaded the package and its signature to your Desktop ..." Notice package AND its signature.



                If you actually have the data file but under a different name (including a different directory), or if it's under the defaulted name but you want to be explicit (which the GPG manual now recommends), specify both filenames:



                 gpg[.exe] --verify sigfile.asc datafile





                share|improve this answer













                It's a detached signature and you need the data.



                The Tor package signatures, like many other package signatures using PGP/GPG you will find on the net, are what PGP/GPG calls a detached signature -- the data is in one (often large) file, and the signature is in a second, separate (small) file. That's why there are two download links (or buttons) -- one for the actual software package and one for the separate/detached signature. In order to verify a detached signature on data you also need the data (and the public key); e.g. for Windows you need



                torbrowser-install-win64-8.0.4_en-US.exe -- the (relevant) data file 
                torbrowser-install-win64-8.0.4_en-US.exe.asc -- the signature


                Notice how the filenames have the same base, but the signature has .asc added at the end. If you run gpg[.exe] --verify file.asc where file.asc is a detached signature, gpg automatically looks for the data in file -- and fails if it's not there. (Similarly for file.sig and file for a binary aka 'unarmored' signature.)



                The page you link actually says "Assuming you downloaded the package and its signature to your Desktop ..." Notice package AND its signature.



                If you actually have the data file but under a different name (including a different directory), or if it's under the defaulted name but you want to be explicit (which the GPG manual now recommends), specify both filenames:



                 gpg[.exe] --verify sigfile.asc datafile






                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Dec 23 '18 at 2:50









                dave_thompson_085dave_thompson_085

                1,6191811




                1,6191811






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1387013%2ftrying-to-verify-a-download-signature-with-pgp-but-getting-no-signed-data-whe%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Plaza Victoria

                    Puebla de Zaragoza

                    Musa