PGP TarBall File Signature Keys Verification fails with no valid OpenPGP data found

Question

This is the first time I figured I had better check the keys of the bind software I want to install. So I downloaded what I think is a OpenPGP key ...

$ wget ftp://ftp.isc.org/isc/bind9/9.9.4/bind-9.9.4.tar.gz.sha1.asc

... then I tried to "import" this key like this ...

$ gpg --import bind-9.9.4.tar.gz.sha1.asc

... but I get this error message:

gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

What am I doing wrong?

Thanks!

Answer 1

The command syntax is gpg bind-9.9.4.tar.gz.sha1.asc. Of course, this gives an error that no public key is found. You can download public keys from pgpkeys.mit.edu.

This article explains the process step-by-step.

Answer 2

Sometimes, you read words like these: “It is essential that you verify the integrity of the downloaded files using the PGP or MD5 signatures […] using the following commands […]”.

gpg --import KEYS
gpg --verify <software-bundle>.asc

You know you should do. And without reading all of it, you may think: Two commands, one to attach the signature file and one to verify the downloaded software. It is not.

KEYS does not refer to the downloaded asc file, but to a special file named KEYS that you need to download separately. See the step “Download KEYS”. The link is not pointing to the asc file as you might think. It points to something else. These KEYS are needed to check the integrity of the asc file itself. The second command seems to perform both checks then. It verifies the asc file given as parameter (using the imported keys), but if you try to run it on the standalone asc file, it says:

gpg: no signed data
gpg: can't hash datafile: No data

So I think it also verifies the integrity of the software, too, which is expected to be a file with the same name except the tailing .asc in the same directory. (But I didn’t find a proof for this to be true by now.)