As an example, this project offers an *.asc file with a PGP signature to verify the contents of the download (as opposed to a checksum, you can see the empty column): https://ossec.github.io/downloads.html
How would I use this file? I tried gpg --verify and other variants, but it seems to be matching the name up to the file, however the filename as it is downloaded is not exactly the same... not sure how it is supposed to work.
I'm new to this PGP thing. Here are my questions:
Verification
When I do this, I'm given the message "This key is not certified with a trusted signature". Is there anyway to make it trusted and better yet what's the proper way for doing so?
[root@dev /]# gpg --verify bind-9.9.4-P2.tar.gz.sha512.asc bind-9.9.4-P2.copiedlink.tar.gz
gpg: Signature made Fri 03 Jan 2014 01:58:50 PM PST using RSA key ID 189CDBC5
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2013) <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2B48 A38A E1CF 9886 435F 89EE 45AC 7857 189C DBC5
Managing Key
I downloaded and saved a public key as isc.public.key, and imported it using the following command:
gpg –import isc.public.key
I'm sure there is an expiration date on it so how do I do the following:
Thanks!
When encrypting a file to send to a collaborator, I see this message:
gpg: using subkey XXXX instead of primary key YYYY
Why would that be? I've noticed that when they send me an encrypted file, it also appears to be encrypted towards my subkey instead of my primary key. For me, this doesn't appear to be a problem; gpg (1.4.x, macosx) just handles it & moves on. But for them, with their automated tool setup, this seems to be an issue, and they've requested that I be sure to use their primary key.
I've tried to do some reading, and I have the Michael Lucas's "GPG & PGP" book on order, but I'm not seeing why there's this distinction. I have read that the key used for signing and the key used for encryption would be different, but I assumed that was about public vs private keys at first.
In case it was a trust/validation issue, I went through the process of comparing fingerprints and verifying, yes, I trust this key. While I was doing that, I noticed the primary & subkeys had different "usage" notes:
primary: usage: SCA
subkey: usage: E
"E" seems likely to mean "Encryption". But, I haven't been able to find any documentation on this. Moreover, my collaborator has been using these tools & techniques for some years now, so why would this only be a problem for me?
I've got a ton of processes running in the background to try and get enough entropy, but I am still failing.
**We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 210 more bytes)**
I need a method to generate the key that works, cause what I'm trying to do is failing apparently.
I understand that keyservers are using the port 11371 but in many cases you are not allowed to connect to this port and you cannot add
There a many cases when you cannot modify the firewall configuration.
Example command that fails
gpg --keyserver keyserver.ubuntu.com --recv-keys 0A5174AF
How do you solve this issue?