[Privoxy-users] MD5, GPG - How to verify?

Ian Silvester iansilvester at fastmail.fm
Tue Jan 10 19:33:24 UTC 2017 

Hi Vanderdenduur,

I've inserted my responses inline below.

Cheers,

Ian

On Tue, 10 Jan 2017, at 09:38, Vanderdenduur wrote:
> Dear support,
> 
> I downloaded Privoxy 3.0.26 PPC. There is a `asc` file and a MD5 hash as 
> well.
> 
> I have imported Ian's public key (last year, I guess)
> 
> pub   4096R/67AC703D 2015-01-26
> uid       [ unknown] Ian Silvester <iansilvester at fastmail.fm>
> sub   4096R/939C7304 2015-01-26
> 
> When I do a
> 
> gpg --verify Privoxy 3.0.26 PPC.tar.bz2.asc
> 
> I'm faced with this error:
> 
> gpg: assuming signed data in 'Privoxy 3.0.26 PPC.tar.bz2'
> gpg: Signature made Mon Jan  2 16:29:24 2017 GMT using RSA key ID
> 448C48FA
> gpg: Can't check signature: No public key

This is the correct approach however I did not sign the package, the
packager did (as per the announcement the PPC release is from a member
of the user community). He has not (yet) published his public key to the
keyservers and so, for now, one cannot verify that he is the package
author.

> 
> So, I decided to do
> 
> gpg --import Privoxy\ 3.0.26\ PPC.tar.bz2.asc
> 
> And, I'm faced with…
> 
> gpg: no valid OpenPGP data found.
> gpg: Total number processed: 0

That is correct since the signature does not contain any keys.

> 
> Finally, when I do
> 
> md5 Privoxy\ 3.0.26\ PPC.tar.bz2
> 
> or
> 
> Privoxy\ 3.0.26\ PPC.tar.bz2.asc
> 
> The obtained hashes do not match what is provided on site, which is:
> 
> MD5: aec74565e253cccaef9d381d193f9062

This is incorrect - that is the hash of the x64 package. Refer further
down the readme for the PPC package hash which is
477823ca0ae9d85aef85c87df9e95537


> So, in short of ideas, I offer you this question… Would you mind if I 
> asked you to put a short reminder (maybe for all) on how to verify the 
> package? Because, obviously, I am not able to verify your packages.

You performed all the correct actions, only with a false assumption and
one mistake. On balance I don't think a reminder is required, but I will
add a note that the signature cannot as yet be verified.

Cheers,

Ian



> 
> Thanks very much for your support,
> 
> Vanderdenduur
> 
> -- 
> Sent from my Superb MacBook Pro GT Twin-turbo
> 
> _______________________________________________
> Privoxy-users mailing list
> Privoxy-users at lists.privoxy.org
> https://lists.privoxy.org/mailman/listinfo/privoxy-users

More information about the Privoxy-users mailing list