How can I verify signed files like Tor Installer with additional sig file?
I'm missing one very important "how to". Maybe it is buried somewhere and cannot find it...
I want to use GPG Tools just to verify the signature of a downloaded .dmg installer.
For example the Tor installer is signed only with PGP, unfortunately for me no checksum.
Anyone to give me a link please? Thanx
Comments are currently closed for this discussion. You can start a new one.
|?||Show this help|
|ESC||Blurs the current field|
|r||Focus the comment reply box|
|^ + ↩||Submit the comment|
You can use
Command ⌘ instead of
Control ^ on Mac
Support Staff 1 Posted by Steve on 20 Nov, 2019 01:50 PM
welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.
This KB-article explains how to verify signed files.
Let me know if you have more questions or need further assistance after going through that KB.
All the best,
2 Posted by 0J on 20 Nov, 2019 05:58 PM
thank you very much for help!
Steve closed this discussion on 20 Nov, 2019 06:00 PM.
OJ re-opened this discussion on 21 Nov, 2019 09:47 AM
3 Posted by OJ on 21 Nov, 2019 09:47 AM
something is wrong, maybe I'm wrong :-)
I tried to paste from clipboard the PGP Signature
-----BEGIN PGP SIGNATURE-----
=KLK6 -----END PGP SIGNATURE-----
and get the answer that this is not a signature and the same message from a .txt file I created..
Some more help please?
Support Staff 4 Posted by Steve on 21 Nov, 2019 10:30 PM
Can you please list the steps you took to create the signature and then the steps you took to verify.
5 Posted by OJ on 22 Nov, 2019 08:37 AM
First I have to mention that this is not an installer file signature, it is a canary signature.
I copied the signature and pasted in to the PGP app window - the answer was Not an valid signature.
I created an .txt file with the content of the signature and pulled the closed file into the PGP app window. Same answer as in step 1.
Support Staff 6 Posted by Steve on 22 Nov, 2019 09:20 AM
Can you link to the age with the canary signature so we can try to reproduce why the verification is not working for you.
And please also attach the txt file you created again so that we can reproduce the issue and see what is going wrong.
7 Posted by OJ on 22 Nov, 2019 11:45 AM
here is the link: https://api.azirevpn.com/v1/warrantcanary and attached the txt file.
Thank you for support Steve
Support Staff 8 Posted by Steve on 22 Nov, 2019 02:26 PM
We tried to verify the signature of the link you sent and were able to do so.
For the verification to be successful keep in mind that you need to have the public key first. So search for the fingerprint they give and after downloading the public key please retry.
Also you may want to ask that company to upload and verify theri public key to keys.openpgp.org
9 Posted by OJ on 22 Nov, 2019 03:25 PM
Here is my result.
Support Staff 10 Posted by Steve on 22 Nov, 2019 08:43 PM
Importing the signature into GPG Keychain won't work as that is the key manager.
11 Posted by OJ on 22 Nov, 2019 09:35 PM
Thank you Steve,
and please remove the second printscreen.... !!!
Support Staff 12 Posted by Steve on 22 Nov, 2019 09:43 PM
Glad this is solved for you. I'm closing this discussion. Should you need further assistance or have questions you can re-open this discussion here or open a new one any time.
Steve closed this discussion on 22 Nov, 2019 09:43 PM.