or Create a profile

Home Feedback

How can I verify signed files like Tor Installer with additional sig file?

0J's Avatar

0J

19 Nov, 2019 08:37 AM

Hi,
I'm missing one very important "how to". Maybe it is buried somewhere and cannot find it...

I want to use GPG Tools just to verify the signature of a downloaded .dmg installer.
For example the Tor installer is signed only with PGP, unfortunately for me no checksum.

Anyone to give me a link please? Thanx

  1. Support Staff 1 Posted by Steve on 20 Nov, 2019 01:50 PM

    Steve's Avatar

    Hi 0J,

    welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.

    This KB-article explains how to verify signed files.

    Let me know if you have more questions or need further assistance after going through that KB.

    All the best,
    Steve

  2. 2 Posted by 0J on 20 Nov, 2019 05:58 PM

    0J's Avatar

    Hello Steve,
    thank you very much for help!

  3. Steve closed this discussion on 20 Nov, 2019 06:00 PM.

  4. OJ re-opened this discussion on 21 Nov, 2019 09:47 AM

  5. 3 Posted by OJ on 21 Nov, 2019 09:47 AM

    OJ's Avatar

    Hello Steve,
    something is wrong, maybe I'm wrong :-)

    I tried to paste from clipboard the PGP Signature

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEdYzJWMKIiDwvgTtNGUkNSIx2SxAFAl3ARWwACgkQGUkNSIx2
    SxAJ2RAAmlhykI0fKyw7WJXFvrIDQA6cvqfXd4Q62HClW+PWXccDJDsq+QXX1IUw
    Nho0rm94ya+6JeMZhEMyY1I0kSmIH0sAzXGqSxrcyFlNzlX2zkD9BuaI9sDpKvX5
    a317rbviLeJ2cC9rbo/zl6pS3ElreYLUvA2KOEHXvZKMg7AXIyRx5qc2LtC/4rOU
    sB7sP5StefdVHXWkhpfD6AJEfNoYBRDKb/BaiZny4v8AJ+mTz2ywiA7omwOM9hBc
    Y66axTvviWAuT/fy7OMgmnsz725wXBlg7CZvIvJG9hy4euozDD3How+kty+pk+JF
    vwjkzQ5n7NWmSGCBr1QPxhgRWNpy8ZSCLLsgeknhXgCH6AqUKKuyhUPc381ckYrz
    JoImHKfW6sBrW7rZkWYs3GYmi4kN55QKk9wX/KkGMp3E8mY/+5CltIe/HtapoyH6
    /HU5w4F8s5v+sF/F4erz09nAgCMiE03E46430yCIT/RZ24d+teHWRLsuwAKIxlr7 4zm62xxMwQIXRXFO38aKsSa7Jr1Z0snSGp68rDns0I+GgjUTW3tQL4kN7SiIcTKi
    bc782EzJMRMdEcVKA1G2pVIRLgBS5SvdculObz+cLoHADoEihS6wYbKF1sRlI56e
    8r4BFr6yz96CfI54124lvu/YWf9JFAYDt3J+X9zfSx9BM8U/5i8=
    =KLK6 -----END PGP SIGNATURE-----

    and get the answer that this is not a signature and the same message from a .txt file I created..

    Some more help please?

  6. Support Staff 4 Posted by Steve on 21 Nov, 2019 10:30 PM

    Steve's Avatar

    Can you please list the steps you took to create the signature and then the steps you took to verify.

  7. 5 Posted by OJ on 22 Nov, 2019 08:37 AM

    OJ's Avatar

    Hello Steve,
    First I have to mention that this is not an installer file signature, it is a canary signature.

    1. I copied the signature and pasted in to the PGP app window - the answer was Not an valid signature.

    2. I created an .txt file with the content of the signature and pulled the closed file into the PGP app window. Same answer as in step 1.

    Thank you

  8. Support Staff 6 Posted by Steve on 22 Nov, 2019 09:20 AM

    Steve's Avatar

    Can you link to the age with the canary signature so we can try to reproduce why the verification is not working for you.

    And please also attach the txt file you created again so that we can reproduce the issue and see what is going wrong.

  9. 7 Posted by OJ on 22 Nov, 2019 11:45 AM

    OJ's Avatar

    here is the link: https://api.azirevpn.com/v1/warrantcanary and attached the txt file.

    Thank you for support Steve

  10. Support Staff 8 Posted by Steve on 22 Nov, 2019 02:26 PM

    Steve's Avatar

    We tried to verify the signature of the link you sent and were able to do so.

    For the verification to be successful keep in mind that you need to have the public key first. So search for the fingerprint they give and after downloading the public key please retry.

    Also you may want to ask that company to upload and verify theri public key to keys.openpgp.org

    Best,
    Steve

  11. 9 Posted by OJ on 22 Nov, 2019 03:25 PM

    OJ's Avatar

    Here is my result.

  12. Support Staff 10 Posted by Steve on 22 Nov, 2019 08:43 PM

    Steve's Avatar

    Importing the signature into GPG Keychain won't work as that is the key manager.

    Please

    1. visit https://api.azirevpn.com/v1/warrantcanary
    2. mark all with cmd + A
    3. right click > Services > OpenPGP: Verify Signature of Selection

  13. 11 Posted by OJ on 22 Nov, 2019 09:35 PM

    OJ's Avatar

    Thank you Steve,
    and please remove the second printscreen.... !!!

    OJ

  14. Support Staff 12 Posted by Steve on 22 Nov, 2019 09:43 PM

    Steve's Avatar

    Glad this is solved for you. I'm closing this discussion. Should you need further assistance or have questions you can re-open this discussion here or open a new one any time.

    Best,
    Steve

  15. Steve closed this discussion on 22 Nov, 2019 09:43 PM.

Comments are currently closed for this discussion. You can start a new one.

  • New Issue

  • Conversation Started

  • The discussion is closed

    No more actions from GPGTools or the discussion starter are required.

  • Re-open the discussion

Private Permissions

This discussion is private. Only you and GPGTools support staff can see and reply to it.

Public Permissions

This discussion is public. Everyone can see and reply to it.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

Recent Discussions

20 May, 2025 08:53 PM GPG Keys
20 May, 2025 10:15 AM VirusTotal flagged GPG Suite installer as malicious
06 May, 2025 07:01 PM GPG Keychain: Why is there still no way to create ECC keys via the GUI?
05 Apr, 2025 04:25 AM how to open
11 Mar, 2025 08:55 AM GPG Keychain: Dialog zur Erstellung von neuen Keys

Recent Articles

How to revoke a key or user ID?
How to enable GPG Mail on macOS
Modification Detection Code (MDC) Errors
Uninstall GPG Suite
GPG Mail and macOS 15 Sequoia + 14 Sonoma Known Issues