When I download GCC, it also has a .sig file, and I think it is provided to verify downloaded file. (I downloaded GCC from here).
But I can't figure out how should I use it. I tried gpg, but it complains about public key.
[root@localhost src]# gpg --verify gcc-4.7.2.tar.gz.sig gcc-4.7.2.tar.gz gpg: Signature made Thu 20 Sep 2012 07:30:44 PM KST using DSA key ID C3C45C06 gpg: Can't check signature: No public key [root@localhost src]#  How can I verify downloaded file with .sig file?
Step 1: Right-click on the program that you want to check and select properties from the context menu that is displayed. Step 2: Select the Digital Signatures tab in the Properties window. Step 3: If you see signatures listed on the tab, you know that the file has been signed digitally.
To verify your belief that someone has signed a file, you will need a copy of that person's Public Key, a copy of the file, and a copy of the signature-file that was allegedly created through the interaction of the person's Secret Key and the file. Acquire the Public Key. Import the Public Key into GPG.
You need to import public key: C3C45C06
Can be done in three steps.
find public key ID:
$ gpg gcc-4.7.2.tar.gz.sig gpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06 gpg: Can't check signature: No public key
import the public key from key server. It's usually not needed to choose key server, but it can be done with --keyserver <server>. Keyserver examples.
$ gpg --recv-key C3C45C06 gpg: requesting key C3C45C06 from hkp server keys.gnupg.net gpg: key C3C45C06: public key "Jakub Jelinek [email protected]" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1
If the command error's out with a timeout, you may be behind a firewall that is blocking the default gpg port. Try using the `--keyserver' option with port 80 (almost all firewalls allow port 80 b/c of web browsing):
$ gpg --keyserver hkp://${HOSTNAME}:80 --recv-keys ${KEY_ID} verify signature:
$ gpg gcc-4.7.2.tar.gz.sig gpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06 gpg: Good signature from "Jakub Jelinek [email protected]" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29 3709 A328 C3A2 C3C4 5C06
The output should say "Good signature".
gpg: WARNING: This key is not certified with a trusted signature!
Is for another question ;)
This other avenue is particularly useful for verifying GNU projects (e.g. Octave) since the key requested by their signature may not be found in any key server.
From https://ftp.gnu.org/README
There are also .sig files, which contain detached GPG signatures of the above files, automatically signed by the same script that generates them.
You can verify the signatures for gnu project files with the keyring file from:
https://ftp.gnu.org/gnu/gnu-keyring.gpg
In a directory with the keyring file, the source file to verify and the signature file, the command to use is:
$ gpg --verify --keyring ./gnu-keyring.gpg foo.tar.xz.sig
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With