[Privoxy-users] MD5, GPG - How to verify?

Lee ler762 at gmail.com
Tue Jan 10 15:53:58 UTC 2017 

Ian,
  Can you help with verifying "Privoxy 3.0.26 PPC.tar.bz2" ?

On 1/10/17, Vanderdenduur <rvrnt at icloud.com> wrote:
> Dear support,
>
> I downloaded Privoxy 3.0.26 PPC. There is a `asc` file and a MD5 hash as
> well.
>
> I have imported Ian's public key (last year, I guess)
>
> pub   4096R/67AC703D 2015-01-26
> uid       [ unknown] Ian Silvester <iansilvester at fastmail.fm>
> sub   4096R/939C7304 2015-01-26
>
> When I do a
>
> gpg --verify Privoxy 3.0.26 PPC.tar.bz2.asc
>
> I'm faced with this error:
>
> gpg: assuming signed data in 'Privoxy 3.0.26 PPC.tar.bz2'
> gpg: Signature made Mon Jan  2 16:29:24 2017 GMT using RSA key ID 448C48FA
> gpg: Can't check signature: No public key
>
> So, I decided to do
>
> gpg --import Privoxy\ 3.0.26\ PPC.tar.bz2.asc

That won't work.  Automatically downloading the keys should work:
$ gpg --auto-key-locate keyserver --keyserver-options
auto-key-retrieve --verify 'Privoxy_3.0.26_PPC.tar(sf.net).bz2.asc'
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/documentation/faqs.html for more
information
gpg: assuming signed data in `Privoxy_3.0.26_PPC.tar(sf.net).bz2'
gpg: Signature made Mon Jan  2 11:29:24 2017 EST using RSA key ID 448C48FA
gpg: requesting key 448C48FA from hkp server keys.gnupg.net
gpgkeys: key 34F46585448C48FA not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
gpg: keyserver communications error: key not found
gpg: keyserver communications error: bad public key
gpg: Can't check signature: public key not found

/tmp
$

Maybe it's just that whoever signed it didn't upload their public key
to a key server??

> Finally, when I do
>
> md5 Privoxy\ 3.0.26\ PPC.tar.bz2
>
> or
>
> Privoxy\ 3.0.26\ PPC.tar.bz2.asc
>
> The obtained hashes do not match what is provided on site, which is:
>
> MD5: aec74565e253cccaef9d381d193f9062

I *hate* file names with spaces in them.  That MD5 hash is for Privoxy
3.0.26 64 bit.pkg
You want to check against

Privoxy 3.0.26 PPC.tar.bz2
This release is for PowerPC processors running OS X 10.4 or higher. <.. snip ..>
MD5: 477823ca0ae9d85aef85c87df9e95537

which looks OK to me (I downloaded from both privoxy.org & sf.net):
$ md5 *.bz2
MD5(Privoxy_3.0.26_PPC.tar(p.org).bz2)= 477823ca0ae9d85aef85c87df9e95537
MD5(Privoxy_3.0.26_PPC.tar(sf.net).bz2)= 477823ca0ae9d85aef85c87df9e95537


> So, in short of ideas, I offer you this question… Would you mind if I
> asked you to put a short reminder (maybe for all) on how to verify the
> package? Because, obviously, I am not able to verify your packages.

Yes, we need something about how to verify packages in the documentation.
I'd write it up & add it in, but I don't know the "right" way.  I
suspect blind trust - eg.
  gpg --auto-key-locate keyserver --keyserver-options
auto-key-retrieve --verify <filename>
isn't the "right" way :(

Regards,
Lee

More information about the Privoxy-users mailing list