[OTR-users] Problem with signature file?
Felix Eckhofer
felix at tribut.de
Thu Feb 13 11:53:57 EST 2014
Andy,
I think you are confusing "key" and "signature".
Am 13.02.2014 17:07, schrieb Andy Roberson:
> I am not able to import the key from
> https://otr.cypherpunks.ca/pidgin-otr-4.0.0.tar.gz.asc onto my keyring,
pidgin-otr-4.0.0.tar.gz.asc is not a key, it is a signature for the
tarball, created with the "OTR Dev Team" key.
> so the gpg --verify command isn't working for me yet. I was able to
> identify the signature used to encrypt the file, and import that one.
> But I presume that really isn't verifying anything other than the fact
> the file is properly signed by "someone".
So you have imported the key used to *sign* (not encrypt) the file.
Unless you verify that this key used to create the signature is in some
way "trusted" you are indeed not going to get more than "it is signed by
someone". This is what the web of trust is meant to achieve (although it
is not really helpful in this case). Asking in this mailing list might
be one way to increase your trust that the key is indeed the correct
one. For the record: When I download pidgin-otr-4.0.0.tar.gz, it is
signed by
: pub 1024D/DED64EBB2BA87C5C 2004-12-01
: Key fingerprint = 5769 79E7 D0CA B38C 7AA3 DDBD DED6 4EBB 2BA8
7C5C
Other ways I can think of would be checking whether this is the same key
used to sign older releases you may have downloaded some time ago or
testing whether you get the same file from different internet
connections and computers.
felix
More information about the OTR-users
mailing list