Menu
I'd like to create script, that downloads and GPG-verifies files to my docker image. From apache docs I see, that for verification, I need to do:
gpg --import KEYS
gpg --verify downloaded_file.tgz.asc downloaded_file.tgz
I'd like to ommit the first step as it changes "some files somewhere". The reason here is I'd like to keep the docker image as-untouched-as-possible. I'd prefer simply calling something like: gpg --using-keys KEYS --verify file.tgz.asc file.tgz. Is it possible?
I've tried using --no-default-keyring --keyring KEYS as mentioned here, but I can't interpret the output correctly (it prints Can't check signature: public key not found. When I remove the --no-default-keyring the output seems fine, but I've previously imported the KEYS file and don't know how to unimport it to see the clear result).
The KEYS, .tgz and .tgz.asc files are from Apache Kafka.
266
To verify your belief that someone has signed a file, you will need a copy of that person's Public Key, a copy of the file, and a copy of the signature-file that was allegedly created through the interaction of the person's Secret Key and the file.
An ASC file is an armored ASCII file used by Pretty Good Privacy (PGP), an encryption program utilized for secure communication. It contains a digitally signed message and may store plain-text written information, as well as binary information encoded as text.
I am a newbie to gpg so take this with a grain of salt, but something like this works for me well enough. Tested on debian and with gpg (GnuPG) 2.1.18:
test.asc is a public key which we do not want to import, test.tar.bz2.asc is a file signature signed with above public key, test.tar.bz2 is a file for signature verification. First I dearmor keys, then use them to verify file signature:
gpg --dearmor ./test.asc
gpg --dearmor ./test.tar.bz2.asc
gpg --dry-run --no-default-keyring --keyring ./test.asc.gpg --homedir ./ --verify ./test.tar.bz2.asc.gpg ./test.tar.bz2
of course gpg complains that the signature is not trusted and creates trustdb in current folder:
gpg: WARNING: unsafe permissions on homedir '/tmp/./'
gpg: Signature made Mi 24 Apr 2019 21:52:46 CEST
gpg: using RSA key xxxxxxxxxxxxxxxx
gpg: /tmp/.//trustdb.gpg: trustdb created
gpg: Good signature from "example security <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx
but this fails afterwards:
gpg --dry-run --homedir ./ --verify ./test.tar.bz2.asc.gpg ./test.tar.bz2
gpg --dry-run --verify ./test.tar.bz2.asc.gpg ./test.tar.bz2
gpg --verify ./test.tar.bz2.asc.gpg ./test.tar.bz2
so I assume that the key was not imported to the usual key db.
65
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
