[OTR-users] Problem with signature file?

Andy Roberson gosooners2091 at gmail.com
Thu Feb 13 12:21:56 EST 2014 

Thanks Felix, I realized I had said "encrypt" instead of "sign" after I
sent it. My bad.

The key for me was figuring out I need to retrieve the key from a
keyserver instead of trying to import the ASC signature file directly
into GPG.

I'm all good now, and a bit more educated. ;-)

Thanks all!

Andy

On 02/13/2014 10:53 AM, Felix Eckhofer wrote:
> Andy,
> 
> I think you are confusing "key" and "signature".
> 
> Am 13.02.2014 17:07, schrieb Andy Roberson:
>> I am not able to import the key from
>> https://otr.cypherpunks.ca/pidgin-otr-4.0.0.tar.gz.asc onto my keyring,
> 
> pidgin-otr-4.0.0.tar.gz.asc is not a key, it is a signature for the
> tarball, created with the "OTR Dev Team" key.
> 
>> so the gpg --verify command isn't working for me yet. I was able to
>> identify the signature used to encrypt the file, and import that one.
>> But I presume that really isn't verifying anything other than the fact
>> the file is properly signed by "someone".
> 
> So you have imported the key used to *sign* (not encrypt) the file.
> Unless you verify that this key used to create the signature is in some
> way "trusted" you are indeed not going to get more than "it is signed by
> someone". This is what the web of trust is meant to achieve (although it
> is not really helpful in this case). Asking in this mailing list might
> be one way to increase your trust that the key is indeed the correct
> one. For the record: When I download pidgin-otr-4.0.0.tar.gz, it is
> signed by
> 
> : pub   1024D/DED64EBB2BA87C5C 2004-12-01
> :       Key fingerprint = 5769 79E7 D0CA B38C 7AA3  DDBD DED6 4EBB 2BA8
> 7C5C
> 
> Other ways I can think of would be checking whether this is the same key
> used to sign older releases you may have downloaded some time ago or
> testing whether you get the same file from different internet
> connections and computers.
> 
> 
> felix
> 
> _______________________________________________
> OTR-users mailing list
> OTR-users at lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-users

-- 

Thanks,
Andy

Support online privacy by sending encrypted email when possible.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xC40C4F93.asc
Type: application/pgp-keys
Size: 6103 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20140213/2293aa4f/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20140213/2293aa4f/attachment.pgp>

More information about the OTR-users mailing list