Can Someone Check My Understanding of gpg

Discussion in 'encryption problems' started by anon_private, Jan 17, 2015.

  1. anon_private

    anon_private Registered Member

    Joined:
    Feb 28, 2010
    Posts:
    57
    Location:
    UK
    if I use gpg to check the validity of a file, say file.tar.xz using a file.tar.xz.asc (downloaded to the pc), ie

    gpg --verify file.tar.xz.asc file.tar.xz

    Does this command simple compare file.xz.asc with the same (hopefully the same) file stored in file.tar.xz

    Or is it more complicated. If so, please explain?

    Thanks
     
  2. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    The .asc is a detached signature file. The verify command downloads the public key of the signer and uses it to decrypt the .asc sig file. That is a hash of the tar file. It then hashes the tar file itself and compares the two hashes. If they are the same then the signature is good.
     
  3. anon_private

    anon_private Registered Member

    Joined:
    Feb 28, 2010
    Posts:
    57
    Location:
    UK
    Thanks for responding.

    I am a little confused when you talk of tar files.

    In my example: gpg --verify file.tar.xz.asc file.tar.xz, both files are tar files

    I am not sure how verify verifies the file.tar.xz file
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,025
    The file "file.tar.xz.asc" is an ASCII text file, not an archive. Just look at "file.tar.xz.asc" in a text editor, and you'll see.
     
Loading...