It only works if the public key used to sign the software hasn't itself been compromised. In most cases this should add a bit more security to your system, but remember it's not a magic bullet. You've now successfully verified the signature of the software package. However, checking the fingerprint like we did earlier should suffice for most cases. The other warning basically means we haven't given a trust rating to the key to prove that it belongs to the right person. The key ID should be the same as the one you imported a few steps back. The bit you're looking for is "Good signature" message. The final step is to verify the software package: gpg -verify example_2 The aim is to match what you see on your terminal to what has been publicly posted, in order to prove it's from the correct person. These are usually publicly posted on either the developer's website, on twitter bios or on sites like keybase.io. Press enter, and you'll see a confirmation
When prompted where to store the key, select 1. When prompted if you really want to move your primary key, enter y (yes). Enter the GPG command: gpg -edit-key 1234ABC (where 1234ABC is the key ID of your key) Enter the command: keytocard. Import the public key by typing the following: gpg -import public.asc Insert the YubiKey into the USB port if it is not already plugged in. In this example, everything is on the Desktop. Open up terminal and change directory if necessary. Make sure the required files are in the same directory. In this example, the file is called public.asc. Thirdly, you need the public key from whoever signed the package. You also need the corresponding signature, which basically has the same file name, with. Your browser does not support the video tag.įirstly, you will need the signed software package that you wish to verify (in this case, I called it example_2).
0 kommentar(er)
