Verifying signed files with Gpg4win

Discussion in 'privacy technology' started by BoerenkoolMetWorst, Jun 6, 2014.

Thread Status:
Not open for further replies.
  1. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Is there an easy guide on how to verify download files with Gpg4Win?
    I installed the program, download an exe and the asc key file and use the GpgEX context menu entry.
    I'm getting the error: Not enough information to check signature validity.
    I read that it means the signature is valid, but not trusted, so I must import the public key from the signer first.
    However, if I use the same key file to validate a totally different exe, I'm still getting the same error, so it looks like there's no validation at all.
     
  2. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
  3. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Thanks, but it is still strange that it makes no difference whether the file good signed or not.
    I used the instructions from Tor to verify with CMD: https://www.torproject.org/docs/verifying-signatures.html.en
    If I do it that way(without signing their key with mine), it tells me the signature is good, but not trusted. If I use the same signature to verify another, unrelated file, it tells me the signature is bad, like it should. If I use the context menu with the included GpgEX, it doesn't show any difference between the proper file and another file.
     
Loading...
Thread Status:
Not open for further replies.