Verifying text signature

Tyler's Avatar

Tyler

14 Apr, 2017 05:32 PM

Hi,

I am trying to verify a dmg file which i have downloaded. I also have the public key which I have imported into the key chain.
But the only issue is that the signature key doesn't download as a file, instead it opens up into a separate text window in a browser tab.
Ho do I use this to verify?
I have tried putting the dmg file on to desktop and also saving the sig text as a text document and placing in the desktop but verification just keeps coming up failed but I don't think I am doing this right.

Can you help?

Thanks,
Tyler

  1. Support Staff 1 Posted by Steve on 19 Apr, 2017 07:32 PM

    Steve's Avatar

    Hi Tyler,

    welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.

    The steps are described here: https://gpgtools.tenderapp.com/kb/how-to/how-to-verify-the-download...

    The fact that the signature does not download as a file is a bit odd and you should probably ask the maintainers of the project in question to look if they can find a better way to provide the sig file to their users.

    Saving the signature as txt file is indeed the correct step. After that please rename the text file to TheFileNameOftheFileYouWantToVerify.dmg.sig

    Are you then able to verify the signature?

    Best,
    steve

  2. 2 Posted by Tyler on 20 Apr, 2017 02:44 AM

    Tyler's Avatar

    hi Steve,

    Thanks for your response.

    Unfortunately, renaming the file didn't change the result...

    As suggested I have contacted the maintainer to ask about this.

    Thanks,
    tyler

  3. Support Staff 3 Posted by Steve on 20 Apr, 2017 11:08 AM

    Steve's Avatar

    Ok, keep us posted on what they respond. Also if this is a public download, could you share a link so we can take a closer look?

  4. 4 Posted by Tyler on 21 Apr, 2017 05:08 PM

    Tyler's Avatar

    Ok, will do. Thanks, Steve.

    Not heard anything back just yet but here is the link for qbittorrent which is what I was trying to verify.

    https://www.qbittorrent.org/download.php

    When clicking on to the download link for apple DMG or PSP signature download it goes to Fosshub which is where I downloaded the Mac OSX download and signature below it which just opens text tab.

    If I've done this incorrectly please let me know.

    Thanks,
    Tyler

  5. Support Staff 5 Posted by Steve on 28 Apr, 2017 09:02 AM

    Steve's Avatar

    Hey Tyler,

    I think this is not your error. This is a highly confusing way to display things. On https://www.qbittorrent.org/download.php there is two links: 1) the dmg file 2) the PGP signature. But actually both links go to the same URL which is: https://www.fosshub.com/qBittorrent.html

    That's confusing to begin with.

    On that page users can download the actual dmg file called "Download qBittorrent Mac OS X" and the PGP signature called "Download qBittorrent Mac OS X PGP signature". That goes here: https://download.fosshub.com/Protected/expiretime=1493393914;badurl... and displays as text in the browser.

    Copy that info to TextEdit and store it as "qbittorrent-3.3.12.dmg.asc".

    The text I see is:

    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2
    
    iQIcBAABCAAGBQJY5s6VAAoJEG5KLQJbfMmizFQP/RPZ9NbBRhDYMbw7bxwGJt8K
    0Qrq1sG4ailQWtqhTtMh4LX1aXO0fE8W+xQD966xs8cYJ+ExG9EMP031M7s5OK+i
    jE32bd6Yndt4oT8Y5y9c03o+8ju+RTXb5sAAJ6azhqcuveXkhLAKbDI3o7h/r9hd
    yGb8PKt9tjVPi2JHhA01eIv/foWoWiS+PEda/Oojh/fNDIuJxxamjBa26fU5r/05
    e+jWbi6v+eKNstVp5/5oDHlTgC9CSCnEM3DBFWhU0VsIl/xQdvODVJCZ7TUKtjlE
    dZCFwSx812/+M/2JMyg0nwED7j2QnvCxIpZqnqZrzSHZTvJAlqVQgQ5WlxjyldaN
    T54PYMgdRGFw8e6rNJjnuLpuYns6OnwULUMEZHV3EjsilgEHCCnFriAYHoz5p/zQ
    AkOiBdHGZs4RwiXXyV7ZJAzl9U0JvISPQ5HMriTNBowdaw5QyTnDHHn4/2z4B+lB
    0g6r9+eTdkEMy/52rZlptyxienItAUzBMoUtQ36SY4stG8kbtHdbiEa5jWvZD/DZ
    vJCtX0nj40ldqZ7hRGx+JvPIF4eCpOe84lVJ/icy5k3M+hhep6dZoc1noGebfb4g
    eYai7zHRPTfc3OOUYTu8Un0OU0EoP2psbd58WU7yTuyplw7oVqNv1/2bOk42mRIu
    wqfnvA8zq7LXBkc4IQgC
    =Zsjc
    -----END PGP SIGNATURE-----
    

    You'd then have two files with the naming as shown in attached screenshot. Then all you have to do is right click either of the two files and select Services > OpenPGP: Verify Signature of File.

    Let me know if that worked.

    Best,
    steve

  6. 6 Posted by Tyler on 28 Apr, 2017 12:32 PM

    Tyler's Avatar

    Thanks for that Steve.

    Unfortunately it's still coming up saying 'verification failed, no signature found'.

    I have the files exactly as you have shown saved in my desktop and it's still not working. Public key and fingerprint for qbittorrent is uploaded and correct in keychain and so i can't think what else it could be. I've authenticated a different software before but that was an actual downloaded sig file as opposed to this method of trying to verify.

    -Just to note when saving text file as advised it automatically wanted to save as rtf file but i changed it to asc file.-

    Have written to Fosshub and no reply as of yet. I'm pretty sure it must be legit but a bit perplexed here :/

    Thanks,
    Tyler

  7. Support Staff 7 Posted by Steve on 28 Apr, 2017 03:56 PM

    Steve's Avatar

    RTF may be the problem. Keys and signatures are always to be saved as .txt not .rtf since otherwise contents may be altered.

    Could you retry using .txt and let me know if that worked.

    Best,
    steve

  8. 8 Posted by Tyler on 30 Apr, 2017 01:54 AM

    Tyler's Avatar

    Ok, tried:

    qbittorrent-3.3.12.dmg.asc.txt

    Still didn't work unfortunately. :/

    Thanks,
    Tyler

  9. Support Staff 9 Posted by Steve on 30 Apr, 2017 10:54 AM

    Steve's Avatar

    Can you try renaming the file to "qbittorrent-3.3.12.dmg.asc"

    If that still does not work, please create a screenshot of the steps you take to create that asc file. You can do that using the onboard QuickTime software.

    • open QuickTime
    • in the menubar select File > New Screen Recording
    • in the new window, click the dropdown arrow next to the record icon and enable 'Show Mouse Clicks in Recording'
    • press record and reproduce the problem you are having with GPG Suite

    To end the recording, press the 'Stop' icon in the menubar icon section. Save the file and attach it to your existing discussion by visiting your discussion in your browser.

  10. 10 Posted by Tyler on 01 May, 2017 02:20 AM

    Tyler's Avatar

    Thanks Steve,

    Still didn't work.

    Here's a clip of the steps I took.
    Tyler

  11. Support Staff 11 Posted by Steve on 04 May, 2017 11:33 AM

    Steve's Avatar

    You are using an rtf file instead of a txt file to save the signature. rtf will break the signature.

    Check TextEdit > Format and switch to PlainText. That should do the trick.

  12. 12 Posted by tyler on 04 May, 2017 11:07 PM

    tyler's Avatar

    Hi Steve,

    That seems to have certainly done the trick!

    It says undefined trust but i'm assuming this is normal in this instance?

    Thanks,
    Tyler

  13. Support Staff 13 Posted by Steve on 08 May, 2017 09:03 AM

    Steve's Avatar

    Great. For any key or signature usage sticking to .txt files will be required.

    Yes, the undefinied trust is due to the trust level for the public key used to verify the signature and expected.

    This KB-article explains how to verify and sign a key.

    All the best,
    steve

  14. 14 Posted by tyler on 08 May, 2017 10:30 PM

    tyler's Avatar

    That's awesome.

    Thanks for your help, Steve.

  15. Support Staff 15 Posted by Steve on 09 May, 2017 10:32 AM

    Steve's Avatar

    You are welcome.

    Glad, this is solved for you. I'm closing this discussion. Should you need further assistance or have questions you can re-open this discussion here or open a new one any time.

    Best, steve

  16. Steve closed this discussion on 09 May, 2017 10:32 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac