Opened 9 months ago

Closed 9 months ago

#21238 closed defect (invalid)

tor-messenger-linux32-0.3.0b2 BAD signature

Reported by: BobSmith Owned by:
Priority: Very High Milestone:
Component: Applications/Tor Messenger Version: Tor: unspecified
Severity: Blocker Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Hi,

I was trying to verify signature of Tor Messenger 0.3.0 beta and got BAD signature:
#Import the key
gpg --keyserver pool.sks-keyservers.net --recv-keys 0xB01C8B006DA77FAA
Fingerprint OK
gpg --fingerprint 0xB01C8B006DA77FAA
pub 4096R/0xB01C8B006DA77FAA 2016-02-25 [expires: 2020-02-24]

Key fingerprint = E4AC D397 5427 A5BA 8450 A1BE B01C 8B00 6DA7 7FAA

uid [ unknown] Sukhbir Singh <azadi@…>
uid [ unknown] Sukhbir Singh <sukhbir@…>
sub 4096R/0x1AF20C043D9F9289 2016-02-25 [expires: 2020-02-24]

Verification:

gpg --verify sha256sums-signed-build.txt.asc tor-messenger-linux32-0.3.0b2_en-US.tar.xz
gpg: Signature made Wed 28 Dec 2016 01:22:29 PM UTC
gpg: using RSA key 0xB01C8B006DA77FAA
gpg: BAD signature from "Sukhbir Singh <azadi@…>" [unknown]

Files were downloaded from here:
https://trac.torproject.org/projects/tor/wiki/doc/TorMessenger#Downloads

Best,
BS

Child Tickets

Change History (1)

comment:1 Changed 9 months ago by arlolra

Resolution: invalid
Status: newclosed

It looks like your problem is in this line,

gpg --verify sha256sums-signed-build.txt.asc tor-messenger-linux32-0.3.0b2_en-US.tar.xz

that should just be,

gpg --verify sha256sums-signed-build.txt.asc

and you'll need to download the corresponding sha256sums-signed-build.txt file.

Then you'll want to run,

shasum -a 256 tor-messenger-linux32-0.3.0b2_en-US.tar.xz

and verify that sha you get is in that sha256sums-signed-build.txt file.

Hope that helps.

This procedure is covered here,
https://trac.torproject.org/projects/tor/wiki/doc/TorMessenger/FAQ#HowtoverifythesignatureofTorMessenger

Note: See TracTickets for help on using tickets.