How can I verify signed files like Tor Installer with additional sig file?

0J's Avatar

0J

19 Nov, 2019 08:37 AM

Hi,
I'm missing one very important "how to". Maybe it is buried somewhere and cannot find it...

I want to use GPG Tools just to verify the signature of a downloaded .dmg installer.
For example the Tor installer is signed only with PGP, unfortunately for me no checksum.

Anyone to give me a link please? Thanx

  1. Support Staff 1 Posted by Steve on 20 Nov, 2019 01:50 PM

    Steve's Avatar

    Hi 0J,

    welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.

    This KB-article explains how to verify signed files.

    Let me know if you have more questions or need further assistance after going through that KB.

    All the best,
    Steve

  2. 2 Posted by 0J on 20 Nov, 2019 05:58 PM

    0J's Avatar

    Hello Steve,
    thank you very much for help!

  3. Steve closed this discussion on 20 Nov, 2019 06:00 PM.

  4. OJ re-opened this discussion on 21 Nov, 2019 09:47 AM

  5. 3 Posted by OJ on 21 Nov, 2019 09:47 AM

    OJ's Avatar

    Hello Steve,
    something is wrong, maybe I'm wrong :-)

    I tried to paste from clipboard the PGP Signature

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEdYzJWMKIiDwvgTtNGUkNSIx2SxAFAl3ARWwACgkQGUkNSIx2
    SxAJ2RAAmlhykI0fKyw7WJXFvrIDQA6cvqfXd4Q62HClW+PWXccDJDsq+QXX1IUw
    Nho0rm94ya+6JeMZhEMyY1I0kSmIH0sAzXGqSxrcyFlNzlX2zkD9BuaI9sDpKvX5
    a317rbviLeJ2cC9rbo/zl6pS3ElreYLUvA2KOEHXvZKMg7AXIyRx5qc2LtC/4rOU
    sB7sP5StefdVHXWkhpfD6AJEfNoYBRDKb/BaiZny4v8AJ+mTz2ywiA7omwOM9hBc
    Y66axTvviWAuT/fy7OMgmnsz725wXBlg7CZvIvJG9hy4euozDD3How+kty+pk+JF
    vwjkzQ5n7NWmSGCBr1QPxhgRWNpy8ZSCLLsgeknhXgCH6AqUKKuyhUPc381ckYrz
    JoImHKfW6sBrW7rZkWYs3GYmi4kN55QKk9wX/KkGMp3E8mY/+5CltIe/HtapoyH6
    /HU5w4F8s5v+sF/F4erz09nAgCMiE03E46430yCIT/RZ24d+teHWRLsuwAKIxlr7 4zm62xxMwQIXRXFO38aKsSa7Jr1Z0snSGp68rDns0I+GgjUTW3tQL4kN7SiIcTKi
    bc782EzJMRMdEcVKA1G2pVIRLgBS5SvdculObz+cLoHADoEihS6wYbKF1sRlI56e
    8r4BFr6yz96CfI54124lvu/YWf9JFAYDt3J+X9zfSx9BM8U/5i8=
    =KLK6 -----END PGP SIGNATURE-----

    and get the answer that this is not a signature and the same message from a .txt file I created..

    Some more help please?

  6. Support Staff 4 Posted by Steve on 21 Nov, 2019 10:30 PM

    Steve's Avatar

    Can you please list the steps you took to create the signature and then the steps you took to verify.

  7. 5 Posted by OJ on 22 Nov, 2019 08:37 AM

    OJ's Avatar

    Hello Steve,
    First I have to mention that this is not an installer file signature, it is a canary signature.

    1. I copied the signature and pasted in to the PGP app window - the answer was Not an valid signature.

    2. I created an .txt file with the content of the signature and pulled the closed file into the PGP app window. Same answer as in step 1.

    Thank you

  8. Support Staff 6 Posted by Steve on 22 Nov, 2019 09:20 AM

    Steve's Avatar

    Can you link to the age with the canary signature so we can try to reproduce why the verification is not working for you.

    And please also attach the txt file you created again so that we can reproduce the issue and see what is going wrong.

  9. 7 Posted by OJ on 22 Nov, 2019 11:45 AM

    OJ's Avatar

    here is the link: https://api.azirevpn.com/v1/warrantcanary and attached the txt file.

    Thank you for support Steve

  10. Support Staff 8 Posted by Steve on 22 Nov, 2019 02:26 PM

    Steve's Avatar

    We tried to verify the signature of the link you sent and were able to do so.

    For the verification to be successful keep in mind that you need to have the public key first. So search for the fingerprint they give and after downloading the public key please retry.

    Also you may want to ask that company to upload and verify theri public key to keys.openpgp.org

    Best,
    Steve

  11. 9 Posted by OJ on 22 Nov, 2019 03:25 PM

    OJ's Avatar

    Here is my result.

  12. Support Staff 10 Posted by Steve on 22 Nov, 2019 08:43 PM

    Steve's Avatar

    Importing the signature into GPG Keychain won't work as that is the key manager.

    Please

    1. visit https://api.azirevpn.com/v1/warrantcanary
    2. mark all with cmd + A
    3. right click > Services > OpenPGP: Verify Signature of Selection
  13. 11 Posted by OJ on 22 Nov, 2019 09:35 PM

    OJ's Avatar

    Thank you Steve,
    and please remove the second printscreen.... !!!

    OJ

  14. Support Staff 12 Posted by Steve on 22 Nov, 2019 09:43 PM

    Steve's Avatar

    Glad this is solved for you. I'm closing this discussion. Should you need further assistance or have questions you can re-open this discussion here or open a new one any time.

    Best,
    Steve

  15. Steve closed this discussion on 22 Nov, 2019 09:43 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac