[Privoxy-users] MD5, GPG - How to verify?

Ian Silvester iansilvester at fastmail.fm
Tue Jan 10 21:18:14 UTC 2017 

Hi again Vanderdenduur,

I have followed up with the packager, Tobias Netzel. He has resubmitted
his public key to multiple keyservers and hence you should now find that
the signature can be successfully verified.

Kind regards,

Ian

My PGP public
key[http://diem.serveftp.net:8080/IanSilvesterPGPPublicKey.asc]

On Tue, 10 Jan 2017, at 14:33, Ian Silvester wrote:
> Hi Vanderdenduur,
> 
> I've inserted my responses inline below.
> 
> Cheers,
> 
> Ian
> 
> On Tue, 10 Jan 2017, at 09:38, Vanderdenduur wrote:
> > Dear support,
> > 
> > I downloaded Privoxy 3.0.26 PPC. There is a `asc` file and a MD5 hash as 
> > well.
> > 
> > I have imported Ian's public key (last year, I guess)
> > 
> > pub   4096R/67AC703D 2015-01-26
> > uid       [ unknown] Ian Silvester <iansilvester at fastmail.fm>
> > sub   4096R/939C7304 2015-01-26
> > 
> > When I do a
> > 
> > gpg --verify Privoxy 3.0.26 PPC.tar.bz2.asc
> > 
> > I'm faced with this error:
> > 
> > gpg: assuming signed data in 'Privoxy 3.0.26 PPC.tar.bz2'
> > gpg: Signature made Mon Jan  2 16:29:24 2017 GMT using RSA key ID
> > 448C48FA
> > gpg: Can't check signature: No public key
> 
> This is the correct approach however I did not sign the package, the
> packager did (as per the announcement the PPC release is from a member
> of the user community). He has not (yet) published his public key to the
> keyservers and so, for now, one cannot verify that he is the package
> author.
> 
> > 
> > So, I decided to do
> > 
> > gpg --import Privoxy\ 3.0.26\ PPC.tar.bz2.asc
> > 
> > And, I'm faced with…
> > 
> > gpg: no valid OpenPGP data found.
> > gpg: Total number processed: 0
> 
> That is correct since the signature does not contain any keys.
> 
> > 
> > Finally, when I do
> > 
> > md5 Privoxy\ 3.0.26\ PPC.tar.bz2
> > 
> > or
> > 
> > Privoxy\ 3.0.26\ PPC.tar.bz2.asc
> > 
> > The obtained hashes do not match what is provided on site, which is:
> > 
> > MD5: aec74565e253cccaef9d381d193f9062
> 
> This is incorrect - that is the hash of the x64 package. Refer further
> down the readme for the PPC package hash which is
> 477823ca0ae9d85aef85c87df9e95537
> 
> 
> > So, in short of ideas, I offer you this question… Would you mind if I 
> > asked you to put a short reminder (maybe for all) on how to verify the 
> > package? Because, obviously, I am not able to verify your packages.
> 
> You performed all the correct actions, only with a false assumption and
> one mistake. On balance I don't think a reminder is required, but I will
> add a note that the signature cannot as yet be verified.
> 
> Cheers,
> 
> Ian
> 
> 
> 
> > 
> > Thanks very much for your support,
> > 
> > Vanderdenduur
> > 
> > -- 
> > Sent from my Superb MacBook Pro GT Twin-turbo
> > 
> > _______________________________________________
> > Privoxy-users mailing list
> > Privoxy-users at lists.privoxy.org
> > https://lists.privoxy.org/mailman/listinfo/privoxy-users
> _______________________________________________
> Privoxy-users mailing list
> Privoxy-users at lists.privoxy.org
> https://lists.privoxy.org/mailman/listinfo/privoxy-users

More information about the Privoxy-users mailing list