Home / ubuntu / Questions / 48508
Accepted
Amanda
Asked: 2011-06-14 05:24:27 +0800 CST

How do I verify an asc key fingerprint?

  • 772

At the moment, I'm trying to check the fingerprint of the oracle_vbox.asc key that I downloaded from http://www.virtualbox.org/wiki/Linux_Downloads: they provide the key and the fingerprint but no instructions for reviewing this information myself.

How do I show the fingerprint of the key I just downloaded?

apt-key finger oracle_vbox.asc shows the fingerprints of all trusted keys, which isn't what I want.

gnupg

4 Answers

  1. Best Answer

    Get the key:

    $ wget http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc

    Print the key fingerprint with GPG version 1:

    $ gpg --with-fingerprint oracle_vbox.asc 
pub  1024D/98AB5139 2010-05-18 Oracle Corporation
                      (VirtualBox archive signing key) <[email protected]>
      Key fingerprint = 7B0F AB3A 13B9 0743 5925  D9C9 5442 2A4B 98AB 5139
sub  2048g/281DDC4B 2010-05-18
      Key fingerprint = 27B0 97CF 8257 4209 C434  8D42 B674 8A65 281D DC4B

    Note that the 2nd fingeprint is just the fingerprint of the sub-key.

    Print the fingerprint with GPG version 2:

    $ gpg2 -n -q --import --import-options import-show  oracle_vbox.asc   
pub   dsa1024 2010-05-18 [SC]
      7B0FAB3A13B907435925D9C954422A4B98AB5139
uid   Oracle Corporation (VirtualBox archive signing key) <[email protected]>
sub   elg2048 2010-05-18 [E]

    Note that -n is an alias for --dry-run, i.e. the key isn't actually imported.

    Alternatively, to just display the fingerprints:

    $ gpg2 -nq --import --import-options import-show --with-colons oracle_vbox.asc \
     | awk -F: '$1 == "fpr" { print $10 }'
7B0FAB3A13B907435925D9C954422A4B98AB5139
27B097CF82574209C4348D42B6748A65281DDC4B
    • 29

  2. Step 1

    $ deb http://download.virtualbox.org/virtualbox/debian artful contrib

    Step 2

    $ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -

    Step 3

    $ apt-key list

    or, equivalently,

    $ apt-key finger

    which should return

    /etc/apt/trusted.gpg
--------------------
pub   rsa4096 2016-04-22 [SC]
      B9F8 D658 297A F3EF C18D  5CDF A2F6 83C5 2980 AECF
uid           [ unknown] Oracle Corporation (VirtualBox archive signing key) <[email protected]>
sub   rsa4096 2016-04-22 [E]

    which in turn should be equivalent to

    The key fingerprint for oracle_vbox_2016.asc is

    B9F8 D658 297A F3EF C18D  5CDF A2F6 83C5 2980 AECF
Oracle Corporation (VirtualBox archive signing key) <[email protected]>

    on https://www.virtualbox.org/wiki/Linux_Downloads, either by visual inspection or further command line fu.

    Related links:

    • 9

  3. This works with GPG 2 (at least I could check it with versions 2.1.18 and 2.2.12):

    wget http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc
gpg_home=$(mktemp -d)
gpg --homedir "$gpg_home" --import oracle_vbox.asc
# gpg: keybox '/tmp/tmp.CHoWuJBy7N/pubring.kbx' created
# gpg: /tmp/tmp.CHoWuJBy7N/trustdb.gpg: trustdb created
# gpg: key 54422A4B98AB5139: public key "Oracle Corporation (VirtualBox archive signing key) <[email protected]>" imported
# gpg: Total number processed: 1
# gpg:               imported: 1
gpg --homedir "$gpg_home" --list-keys
# /tmp/tmp.CHoWuJBy7N/pubring.kbx
# -------------------------------
# pub   dsa1024 2010-05-18 [SC]
#       7B0FAB3A13B907435925D9C954422A4B98AB5139
# uid           [ unknown] Oracle Corporation (VirtualBox archive signing key) <[email protected]>
# sub   elg2048 2010-05-18 [E]
#

    Source: https://unix.stackexchange.com/a/468889

    • 1

  4. You have both the key and the fingerprint? Run:

    ssh-keygen -lf key.pub

    against the key to get the fingerprint.

    ssh-keygen reference: http://www.manpagez.com/man/1/ssh-keygen/

    • 0