Home → Stable →

How to use a signature file

• Edit

mebbm

07 Aug, 2012 08:00 AM

hi

I have a pgp signature file from true crypt and would like to know how to verify the file using the PGP signature. I am using Mac OS, and gpg keychain aceess.

Thanks
Secure blackberry!

1. Support Staff 1 Posted by Steve on 10 Aug, 2012 07:17 PM

   

   Hey mebbm,

   not sure what your use case is. What do you mean by "signature file from true crypt"?

   If you have a file that has been signed and you want to verify that signature, you'd have to have the according public key in your GPG Keychain Access.

   Did you install the GPGTools Installer on your system? If so, you also should have the GPGServices installed on your system.

   See here for how to activate the GPGServices on your system: http://support.gpgtools.org/kb/faq/how-do-i-activate-gpgservices

   Does this help or do you need further assistance?

   All the best :)
   steve

   • Edit

2. 2 Posted by mebbm on 11 Aug, 2012 06:00 PM

   

   Hi

   Truecrypt has a "pgp signature" (verify the integrity and authenticity of Truecrypt distrubution package) download page for the Mac OS and beside the download file is a "pgp signature" that can be dowloaded.

   I have downloaded the GPGtool installer for Mac OS but it does not recognize the pgp signature file.

   Question

   How is the pgp signature used?

   Does gpg have trusted public key repository already installed?
   Secure blackberry!

   • Edit

3. Support Staff 3 Posted by Luke Le on 14 Aug, 2012 10:22 AM

   

   Hi mebbm,

   did you follow Steve's steps to enable GPGServices?
   If so, please download the latest nightly version of GPGServices from http://nightly.gpgtools.org and install it.

   After that, right click on the TrueCrypt 7.1a Mac OS X.dmg.sig file and select Services -> OpenPGP: Verify signature of file

   This only works if the TrueCrypt 7.1a Mac OS X.dmg and TrueCrypt 7.1a Mac OS X.dmg.sig file are in the same directory, otherwise GPGServices can't know which file you want to verify.

   I've just tested it on my machine and it works like a charm.

   Hope that helps.

   • Edit

4. 4 Posted by mebbm on 14 Aug, 2012 05:28 PM

   

   Hi

   I have downloaded the openpgp app. When I perform a verification I get the message "verification failed: no signatures found".

   Do I have to get truecrypts keyserver?

   Thanks
   Secure blackberry!

   • Edit

5. Support Staff 5 Posted by Luke Le on 14 Aug, 2012 06:04 PM

   

   No, you shouldn't have to.
   Check if the .sig file is in the same folder as the .dmg file.
   If you're using a downloader like Speed Download there's a good chance the two files are in separate folders which would explain the error message.
   If they are, put them into the same folder and try the steps I've explained before again.

   • Edit

6. 6 Posted by mebbm on 14 Aug, 2012 07:00 PM

   

   Hi
   I have tried placing the signature file in the same directory as the dmg and I get "verification fail: 9"

   The steps I took is downloaded truecrypt signature file. Then verified with gpgtool

   Thanks

   Secure blackberry!

   -----Original Message-----
   From: [email blocked]
   Date: Tue, 14 Aug 2012 17:21:09
   To: Luke Le<[email blocked]>
   Reply-To: [email blocked]
   Subject: Re: [GPGTools] How to use a signature file [Everything]

   Hi

   I have downloaded the openpgp app. When I perform a verification I get the message "verification failed: no signatures found".

   Do I have to get truecrypts keyserver?

   Thanks
   Secure blackberry!

   • Edit

7. Support Staff 7 Posted by Luke Le on 14 Aug, 2012 07:04 PM

   

   Hi mebbm,

   I really don't know what the problem could be.
   Please do the following.
   Create a folder called truecrypt.
   Put the dmg and the sig file into that folder.
   Make a screenshot for us and attach it to the discussion.
   Try to verify the signature and make a screenshot of the error message.
   Attach this screenshot to the discussion.

   • Edit

8. 8 Posted by mebbm on 14 Aug, 2012 08:41 PM

   

   I have placed both the .dmg and .sig file in a folder called "signature file confirmation.

   Does this mean the downloaded file I downloaded through my ISP is not valid?

   • Folder_Signature_file_confirmation_folder.jpg 63.3 KB
   • pgp_verification.jpg 113 KB
   • Edit

9. Support Staff 9 Posted by Luke Le on 14 Aug, 2012 08:50 PM

   

   Hi mebbm,

   it's interesting you get that error and I don't, but try the following:

   1.) Open GPG Keychain Access
   2.) Press ALT + CMD (the apple key) + K
   3.) Insert the following key id: 0xF0D6B1E0
   4.) Wait for the key to be imported.

   After that, try to verify again.

   • Edit

10. 10 Posted by mebbm on 14 Aug, 2012 09:11 PM

    

    Hi

    Where is that keyid coming from? This is a security v erification of a files validity and I don't want to perform any action I don't understand.

    You said you tried verifying the file and it worked. Now since - downloaded this file through my Isp electronic box in canada does this mean the file is invalid?

    Thx

    • Edit

11. Support Staff 11 Posted by Luke Le on 14 Aug, 2012 09:14 PM

    

    The keyid is the one connected to truecrypt's official openpgp key.
    This was only to make it easier for you to find the right one, since to find it on their website is a p.i.t.a and if you search on the keyservers multiple keys are returned as matches.

    • Edit

12. 12 Posted by mebbm on 14 Aug, 2012 10:09 PM

    

    Hi

    What is p.i.t.a?

    I asked if I need truecrypt key server and you said nom Explain

    Thx

    • Edit

13. Support Staff 13 Posted by Luke Le on 14 Aug, 2012 10:12 PM

    

    P.I.T.A stands for pain in the ass, since the key is not too easy to find on there website.
    No, you don't need their keyserver, you only might need to import their public key.
    As I said, it works without any problems for me so I'm only trying to give you hints of what you could do to finally verify this file.

    • Edit

14. 14 Posted by mebbm on 14 Aug, 2012 11:01 PM

    

    Hi

    Can you tell me where you got your public key for truecrypt?

    Thanks

    • Edit

15. Support Staff 15 Posted by Luke Le on 14 Aug, 2012 11:04 PM

    

    https://www.truecrypt.org/download/TrueCrypt-Foundation-Public-Key.asc

    • Edit

16. 16 Posted by mebbm on 14 Aug, 2012 11:46 PM

    

    Hi

    After installing the true crypt Public key, Email [email blocked], Key ID: 0xF0D6B1E0 I get the enclosed result.

    When I go to PGP global directory https://keyserver.pgp.com/vkd/SubmitSearch.event it cannot find the key? why?

    Thanks

    • verification_results.jpg 41.5 KB
    • PGP_global_directory.jpg 41.1 KB
    • Edit

17. 17 Posted by mebbm on 14 Aug, 2012 11:49 PM

    

    resubmitting the verifications results

    • verification_results.jpg 41.5 KB
    • Edit

18. Support Staff 18 Posted by Luke Le on 15 Aug, 2012 02:09 AM

    

    Nice, so it worked.
    Now you can be sure no one toyed with it.

    In regards to the truecrypt key not being in the PGP Global Directory you should ask the guys at truecrypt.

    Closing this discussion. Glad we could help you.
    Feel free to open a new one anytime.

    • Edit

19. Luke Le closed this discussion on 15 Aug, 2012 02:09 AM.

20. mebbm re-opened this discussion on 15 Aug, 2012 02:17 AM

21. 19 Posted by mebbm on 15 Aug, 2012 02:17 AM

    

    Hi

    Are you saying that there is no single depository to check for public keys or key id?

    Thanks

    • Edit

22. Support Staff 20 Posted by Luke Le on 15 Aug, 2012 02:18 AM

    

    Exactly, there are a whole bunch of different repositories which are more or less synchronized among each other.

    • Edit

23. 21 Posted by mebbm on 15 Aug, 2012 02:32 AM

    

    Ok. Thanks

    • Edit

24. Steve closed this discussion on 15 Aug, 2012 07:38 AM.