I'm trying to verify the PGP Signature of the latest version of KeePass 2.14's setup file against this signature, but this is the output I receive:
C:\Program Files (x86)\GNU\GnuPG>gpg.exe --verify C:\Users\User\Desktop\KeePass-2.14-Setup.exe
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
C:\Program Files (x86)\GNU\GnuPG>
I found this command here, but it made no mention about ".sig" or ".asc" files, so I figured I did something wrong. By reading the man pages, I further tried the following:
C:\Program Files (x86)\GNU\GnuPG>gpg.exe --pgpfile C:\Users\User\Desktop\KeePass-2.14-Setup.exe
gpg: Invalid option "--pgpfile"
C:\Program Files (x86)\GNU\GnuPG>
As you can see, the results are quite obfuscating…
I took a look at this on SuperUser, but none of the links seemed to really address my question, at least not directly enough for me to get any idea on how to move forward on this.
Can anybody here help me with the esoteric technicality of OpenPGP & the associated use of the GnuPG program? I've felt pretty dumb learning VBS, but this is beyond humiliating: it's absolutely debilitating and maiming whatever confidence I had with my IT skills (then again, I have no justification for making any boast either, as I have yet to get my A+ Cert, lol).
UPDATE 04-04-2011
Okay, so I got tired of fooling around with Windows and decided I'd do it right by booting up Ubuntu; this alone made things much more logical!
So here's my list of commands and where I'm at:
proto@type:~$ cd Desktop/proto@type:~/Desktop$ gpg --import KeePass-2.14-Setup.exe.asc gpg: no valid OpenPGP data found. gpg: Total number processed: 0proto@type:~/Desktop$ gpg --import Dominik_Reichl.asc gpg: /home/proto/.gnupg/trustdb.gpg: trustdb created gpg: key FEB7C7BC: public key "Dominik Reichl " imported gpg: Total number processed: 1 gpg: imported: 1proto@type:~/Desktop$ gpg --verify KeePass-2.14-Setup.exe gpg: no valid OpenPGP data found. gpg: the signature could not be verified. Please remember that the signature file (.sig or .asc) should be the first file given on the command line.proto@type:~/Desktop$ gpg --verify KeePass-2.14-Setup.exe.asc gpg: Signature made Sun 02 Jan 2011 05:25:24 AM MST using DSA key ID FEB7C7BC gpg: Good signature from "Dominik Reichl " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2171 BEEA D0DD 92A1 8065 5626 DCCA A5B3 FEB7 C7BCproto@type:~/Desktop$ gpg --verify Dominik_Reichl.asc gpg: verify signatures failed: unexpected data
As Mike instructed, I placed ".exe" & the ".asc" files in the same directory, that being the Desktop. As you can see in the code, I also placed the public key "Dominik_Reichl.asc" in the Desktop directory.
Please be patient with me, as I've been thoroughly spoiled by MD5; I'm assuming that Step 5 from above is the GPG equivalent to this:
C:\Users\user\>CD Desktop
C:\Users\user\Desktop>MD5Sum KeePass-2.14-Setup.exe
bae59065b24f0a6f2ed4bb9e0d6fc65f *KeePass-2.14-Setup.exe
I say this because the behavior changes whenever I move the "KeePass-2.14-Setup.exe" file into a "temp" folder on the Desktop. When I run the command this is the result I get:
proto@type:~/Desktop$ gpg --verify KeePass-2.14-Setup.exe.asc
gpg: no signed data
gpg: can't hash datafile: file open errorThese results have lead me to believe that I'm supposed to extract the "DSA key ID" & the "Primary key fingerprint", from Step 5, and compare them to the values at the top of the Signature Page. So, is this where the similarity is at with MD5 verification? Is this all there is to it? Or is there a further step? Is there a command that I use to verify these two strings? Are those strings what I really need to check? What are those strings?
Now there's one other issue that I'm having to contend with. In the "Primary key fingerprint" results, I have 2 spaces between the "8065" and the "5626". When I use a spreadsheet to verify my results with the string on the Signature Page, I get a "FALSE" result because of the extra whitespace in my results. I checked the source of the Signature Page to see if the browser was ignoring the extra white space, but that's not the case.
2171 BEEA D0DD 92A1 8065 5626 DCCA A5B3 FEB7 C7BC # From Source of Signature Page
2171 BEEA D0DD 92A1 8065 5626 DCCA A5B3 FEB7 C7BC # From My ResultsAs long as I remove that extra whitespace, my results match with that from the Signature Page, but shouldn't they match without any intervention on my part? Should a difference in whitespace be cause for alarm?
Unfortunately, the GPG Man Pages are still quite obscure to me, or as some may put it "user-hostile" (search "user hostile gpg"), so I'll need a couple extra carrots tossed my way. I'll admit it: I'm dumb. In fact, when I was still learning how to use MD5 verification, I floundered around with it almost as much as I did with this.
Best Answer
On the first command you provided you should be referencing the .asc signature file - not the .exe file. The .exe file should also be residing in the same directory as the .asc file.
From the gpg man page:
--verify Assume that the first argument is a signed file or a detached signature and verify it without generat- ing any output. With no arguments, the signature packet is read from STDIN. If only a sigfile is given, it may be a complete signature or a detached signature, in which case the signed stuff is expected in a file without the ".sig" or ".asc" extension. With more than 1 argument, the first should be a detached signature and the remaining files are the signed stuff. To read the signed stuff from STDIN, use '-'' as the second filename. For security reasons a detached signature cannot read the signed material from STDIN without denoting it in the above way.