tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/51395-verifying-text-signatureGPGTools: Discussion 2017-05-09T10:32:30Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/423635642017-04-19T19:32:59Z2017-04-19T19:32:59ZVerifying text signature<div><p>Hi Tyler,</p>
<p>welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.</p>
<p>The steps are described here: <a href="https://gpgtools.tenderapp.com/kb/how-to/how-to-verify-the-downloaded-gpg-suite#verify-signature-of-any-downloaded-file-gpg-installed-">https://gpgtools.tenderapp.com/kb/how-to/how-to-verify-the-download...</a></p>
<p>The fact that the signature does not download as a file is a bit odd and you should probably ask the maintainers of the project in question to look if they can find a better way to provide the sig file to their users.</p>
<p>Saving the signature as txt file is indeed the correct step. After that please rename the text file to TheFileNameOftheFileYouWantToVerify.dmg.sig</p>
<p>Are you then able to verify the signature?</p>
<p>Best,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/423635642017-04-20T02:44:21Z2017-04-20T02:44:23ZVerifying text signature<div><p>hi Steve,</p>
<p>Thanks for your response.</p>
<p>Unfortunately, renaming the file didn't change the result...</p>
<p>As suggested I have contacted the maintainer to ask about this.</p>
<p>Thanks,<br>
tyler</p></div>Tylertag:gpgtools.tenderapp.com,2011-11-04:Comment/423635642017-04-20T11:08:48Z2017-04-20T11:08:48ZVerifying text signature<div><p>Ok, keep us posted on what they respond. Also if this is a public download, could you share a link so we can take a closer look?</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/423635642017-04-21T17:08:33Z2017-04-21T17:08:34ZVerifying text signature<div><p>Ok, will do. Thanks, Steve.</p>
<p>Not heard anything back just yet but here is the link for qbittorrent which is what I was trying to verify.</p>
<p><a href="https://www.qbittorrent.org/download.php">https://www.qbittorrent.org/download.php</a></p>
<p>When clicking on to the download link for apple DMG or PSP signature download it goes to Fosshub which is where I downloaded the Mac OSX download and signature below it which just opens text tab.</p>
<p>If I've done this incorrectly please let me know.</p>
<p>Thanks,<br>
Tyler</p></div>Tylertag:gpgtools.tenderapp.com,2011-11-04:Comment/423635642017-04-28T09:02:41Z2017-04-28T09:02:41ZVerifying text signature<div><p>Hey Tyler,</p>
<p>I think this is not your error. This is a highly confusing way to display things. On <a href="https://www.qbittorrent.org/download.php">https://www.qbittorrent.org/download.php</a> there is two links: 1) the dmg file 2) the PGP signature. But actually both links go to the same URL which is: <a href="https://www.fosshub.com/qBittorrent.html">https://www.fosshub.com/qBittorrent.html</a></p>
<p>That's confusing to begin with.</p>
<p>On that page users can download the actual dmg file called "Download qBittorrent Mac OS X" and the PGP signature called "Download qBittorrent Mac OS X PGP signature". That goes here: <a href="https://download.fosshub.com/Protected/expiretime=1493393914;badurl=aHR0cDovL3d3dy5mb3NzaHViLmNvbS9xQml0dG9ycmVudC5odG1s/99eca4b4c3584c7b6a667f6f3555bf6ecd26aaea0680e8f1f72e2d5ed0b69a3d/qBittorrent/qbittorrent-3.3.12.dmg.asc">https://download.fosshub.com/Protected/expiretime=1493393914;badurl...</a> and displays as text in the browser.</p>
<p>Copy that info to TextEdit and store it as "qbittorrent-3.3.12.dmg.asc".</p>
<p>The text I see is:</p>
<pre>
<code>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJY5s6VAAoJEG5KLQJbfMmizFQP/RPZ9NbBRhDYMbw7bxwGJt8K
0Qrq1sG4ailQWtqhTtMh4LX1aXO0fE8W+xQD966xs8cYJ+ExG9EMP031M7s5OK+i
jE32bd6Yndt4oT8Y5y9c03o+8ju+RTXb5sAAJ6azhqcuveXkhLAKbDI3o7h/r9hd
yGb8PKt9tjVPi2JHhA01eIv/foWoWiS+PEda/Oojh/fNDIuJxxamjBa26fU5r/05
e+jWbi6v+eKNstVp5/5oDHlTgC9CSCnEM3DBFWhU0VsIl/xQdvODVJCZ7TUKtjlE
dZCFwSx812/+M/2JMyg0nwED7j2QnvCxIpZqnqZrzSHZTvJAlqVQgQ5WlxjyldaN
T54PYMgdRGFw8e6rNJjnuLpuYns6OnwULUMEZHV3EjsilgEHCCnFriAYHoz5p/zQ
AkOiBdHGZs4RwiXXyV7ZJAzl9U0JvISPQ5HMriTNBowdaw5QyTnDHHn4/2z4B+lB
0g6r9+eTdkEMy/52rZlptyxienItAUzBMoUtQ36SY4stG8kbtHdbiEa5jWvZD/DZ
vJCtX0nj40ldqZ7hRGx+JvPIF4eCpOe84lVJ/icy5k3M+hhep6dZoc1noGebfb4g
eYai7zHRPTfc3OOUYTu8Un0OU0EoP2psbd58WU7yTuyplw7oVqNv1/2bOk42mRIu
wqfnvA8zq7LXBkc4IQgC
=Zsjc
-----END PGP SIGNATURE-----</code>
</pre>
<p>You'd then have two files with the naming as shown in attached screenshot. Then all you have to do is right click either of the two files and select Services > OpenPGP: Verify Signature of File.</p>
<p>Let me know if that worked.</p>
<p>Best,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/423635642017-04-28T12:32:13Z2017-04-28T12:32:14ZVerifying text signature<div><p>Thanks for that Steve.</p>
<p>Unfortunately it's still coming up saying 'verification failed, no signature found'.</p>
<p>I have the files exactly as you have shown saved in my desktop and it's still not working. Public key and fingerprint for qbittorrent is uploaded and correct in keychain and so i can't think what else it could be. I've authenticated a different software before but that was an actual downloaded sig file as opposed to this method of trying to verify.</p>
<p>-Just to note when saving text file as advised it automatically wanted to save as rtf file but i changed it to asc file.-</p>
<p>Have written to Fosshub and no reply as of yet. I'm pretty sure it must be legit but a bit perplexed here :/</p>
<p>Thanks,<br>
Tyler</p></div>Tylertag:gpgtools.tenderapp.com,2011-11-04:Comment/423635642017-04-28T15:56:47Z2017-04-28T15:56:47ZVerifying text signature<div><p>RTF may be the problem. Keys and signatures are always to be saved as .txt not .rtf since otherwise contents may be altered.</p>
<p>Could you retry using .txt and let me know if that worked.</p>
<p>Best,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/423635642017-04-30T01:54:40Z2017-04-30T01:54:42ZVerifying text signature<div><p>Ok, tried:</p>
<p>qbittorrent-3.3.12.dmg.asc.txt</p>
<p>Still didn't work unfortunately. :/</p>
<p>Thanks,<br>
Tyler</p></div>Tylertag:gpgtools.tenderapp.com,2011-11-04:Comment/423635642017-04-30T10:54:36Z2017-04-30T10:54:36ZVerifying text signature<div><p>Can you try renaming the file to "qbittorrent-3.3.12.dmg.asc"</p>
<p>If that still does not work, please create a screenshot of the steps you take to create that asc file. You can do that using the onboard QuickTime software.</p>
<ul>
<li>open QuickTime</li>
<li>in the menubar select File > New Screen Recording</li>
<li>in the new window, click the dropdown arrow next to the record icon and enable 'Show Mouse Clicks in Recording'</li>
<li>press record and reproduce the problem you are having with GPG Suite</li>
</ul>
<p>To end the recording, press the 'Stop' icon in the menubar icon section. Save the file and attach it to your existing discussion by visiting your discussion in your browser.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/423635642017-05-01T02:20:22Z2017-05-01T02:20:26ZVerifying text signature<div><p>Thanks Steve,</p>
<p>Still didn't work.</p>
<p>Here's a clip of the steps I took.<br>
Tyler</p></div>Tylertag:gpgtools.tenderapp.com,2011-11-04:Comment/423635642017-05-04T11:33:04Z2017-05-04T11:33:04ZVerifying text signature<div><p>You are using an rtf file instead of a txt file to save the signature. rtf will break the signature.</p>
<p>Check TextEdit > Format and switch to PlainText. That should do the trick.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/423635642017-05-04T23:07:37Z2017-05-04T23:07:38ZVerifying text signature<div><p>Hi Steve,</p>
<p>That seems to have certainly done the trick!</p>
<p>It says undefined trust but i'm assuming this is normal in this instance?</p>
<p>Thanks,<br>
Tyler</p></div>tylertag:gpgtools.tenderapp.com,2011-11-04:Comment/423635642017-05-08T09:03:37Z2017-05-08T09:03:37ZVerifying text signature<div><p>Great. For any key or signature usage sticking to .txt files will be required.</p>
<p>Yes, the undefinied trust is due to the trust level for the public key used to verify the signature and expected.</p>
<p>This <a href="https://gpgtools.tenderapp.com/kb/how-to/trusting-keys-and-why-this-signature-is-not-to-be-trusted">KB-article</a> explains how to verify and sign a key.</p>
<p>All the best,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/423635642017-05-08T22:30:56Z2017-05-08T22:30:58ZVerifying text signature<div><p>That's awesome.</p>
<p>Thanks for your help, Steve.</p></div>tylertag:gpgtools.tenderapp.com,2011-11-04:Comment/423635642017-05-09T10:32:28Z2017-05-09T10:32:28ZVerifying text signature<div><p>You are welcome.</p>
<p>Glad, this is solved for you. I'm closing this discussion. Should you need further assistance or have questions you can re-open this discussion here or open a new one any time.</p>
<p>Best, steve</p></div>Steve