Verifying files with GPG, without a .sig or .asc file

From my limited knowledge of PGP/GPG, one must have 2 things to verify a file:

The file's "signature" (essentially a hash of the file encrypted with the trusted
entity's private key; normally distributed as a .sig binary or .asc base64 file).
The trusted entity's public key.

And it seems to be inline with the examples I looked at using gpg. However, I'm a bit confused as I try to verify a file downloaded from one of GCC's mirror sites. On the mirror site listing page (http://gcc.gnu.org/mirrors.html), it says:

The archives (hosted on these mirrors) will be signed by one of the
following GnuPG keys:

And then it lists 6 possible keys:

1024D/745C015A 1999-11-09 Gerald Pfeifer <gerald@pfeifer.com>
Key fingerprint = B215 C163 3BCA 0477 615F 1B35 A5B3 A004 745C 015A

1024D/B75C61B8 2003-04-10 Mark Mitchell <mark@codesourcery.com>
Key fingerprint = B3C4 2148 A44E 6983 B3E4 CC07 93FA 9B1A B75C 61B8

1024D/902C9419 2004-12-06 Gabriel Dos Reis <gdr@acm.org>
Key fingerprint = 90AA 4704 69D3 965A 87A5 DCB4 94D0 3953 902C 9419

1024D/F71EDF1C 2000-02-13 Joseph Samuel Myers <jsm@polyomino.org.uk>
Key fingerprint = 80F9 8B2E 0DAB 6C82 81BD F541 A7C8 C3B2 F71E DF1C

2048R/FC26A641 2005-09-13 Richard Guenther <richard.guenther@gmail.com>
Key fingerprint = 7F74 F97C 1034 68EE 5D75 0B58 3AB0 0996 FC26 A641

1024D/C3C45C06 2004-04-21 Jakub Jelinek <jakub@redhat.com>
Key fingerprint = 33C2 35A3 4C46 AA3F FB29 3709 A328 C3A2 C3C4 5C06

All it provides are those key id's and fingerprints (not the actual keys themselves), and nowhere on the page (or on any of the mirrors, or even within the 4.8.0 tarball) is a .sig/.asc signature file.

My question: How am I supposed to verify this tarball (http://gcc.petsads.us/releases/gcc-4.8.0/gcc-4.8.0.tar.gz) without a signature file, and without knowing the public key, or without knowing which of the 6 keys may have been used to sign the file? Can someone with more knowledge of GPG please explain the simplest way to verify this file?

$ wget http://www.netgull.com/gcc/releases/gcc-4.8.0/gcc-4.8.0.tar.gz $ wget http://ftp.gnu.org/gnu/gcc/gcc-4.8.0/gcc-4.8.0.tar.gz.sig $ wget ftp://ftp.gnu.org/gnu/gnu-keyring.gpg $ gpg --verify --keyring ./gnu-keyring.gpg ./gcc-4.8.0.tar.gz.sig gpg: Signature made Fri 22 Mar 2013 08:32:29 AM CDT using DSA key ID C3C45C06 gpg: Good signature from "Jakub Jelinek <jakub@redhat.com>" gpg: Note: This key has expired! Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29 3709 A328 C3A2 C3C4 5C06

Best Answer

Received an explanation from the GNU/GCC team about this, and the .sig files were missing due to an error with file replication to their mirror servers. From the team:

Interestingly, the .sig files are only on the GNU server (e.g., http://ftp.gnu.org/gnu/gcc/gcc-4.8.0/) but not on the GCC server (e.g., ftp://gcc.gnu.org/pub/gcc/releases/gcc-4.8.0/). As the latter is used by the mirrors, it is also not available on the mirrors.

I found the .sig files on the GNU server like they suggested, but then had to dig some more to find the "GNU keyring file" required to actually verify the signature. All in all, the verification process was:

Hopefully this helps anyone else trying to verify a tarball downloaded from one of GCC's mirror sites.

Best Answer

Related Solutions

GnuPG Command Line – Verifying KeePass Signature

Are files encrypted with gpg compatible with pgp

Related Question