GPG4win / Kleopatra / openPGP ... running into a wall. Help?

[figmentofmyass]

i wanted to get serious about securing my bitcoins. so i bought an ubuntu notebook with the intention of keeping it offline to store my coins, keeping all wallet/backups all offline.

in the interest of preventing malware from ever entering my machine, i wanted to download whatever i needed onto a flash drive and put it on the offline machine. so i wanted to authenticate the download of bitcoin QT... that further required download of GPG4WIN (openPGP) to verify the signature when downloaded.

so i downloaded GPG4WIN and used sha1 checksum to verify its integrity. i installed it and ran kleopatra.

so i figured since GPG4WIN provides an OpenPGP signature for its downloads, that i would start with that. here's the problem --

when i go to import the .sig file, i can't. .sig is supposed to be openPGP, but kleopatra only seems to allow importation of .asc, .cer, .cert, .crt, .der, .pem, .gpg. is that right? am i missing something?

so i figured, maybe i am going about this wrong? i go to decrypt/verify files. the binary and signature file are in the same folder. when i go to decrypt/verify, i get the message "Not enough information to check signature validity." when i click to show details, it says "Signed on ... with unknown certicate ... The signature is invalid: No public certificate to verify the signature."

can someone explain what i am missing?

i feel like i am supposed to get GPG4WIN's public certificate and import it, after which it will be able to verify correctly. but what do i do with this .sig file?!?! i can't seem to find any public certificates posted at gpg4win.org.

this is going to be the end of me. bitcoin and associated technology is so frustrating in how difficult to use it is for the average user.

 

[1715567107]

1715567107

[1715567107]

1715567107

[1715567107]

1715567107

[meinsenf]

First of all a .sig file is a detached signature. So if you for example have a file something.exe.sig this will be the signature for file something.exe. So you are right about using verify and/or decrypt on this pair of files.

The problem you have is related to the fact that you do not have the public key corresponding to that signature within your PGP keyring. This key is only referenced in the signature using its numeric ID. But you need the public key itself to validate the signature.

So there are some things you need to do:

Step 1: Figure out where to find the required public key and import it into your keyring.
Step 2: Verify that key according to its fingerprint
Step 3: Sign that key with your key, so GnuPG knows the key is valid and belongs to the specified "person"

Then if the signature is valid, you should get the successful verification result upon signature verification.

Sorry that I cannot provide help how to find the key. I.e. you may be able to load it from a "keyserver" or you may find it on the web, where you download the software. In both cases you still have the problem to verify the key itself. Of cause if the software may be manipulated the key may also be faked. So you may end at a certain point where you have to trust something without being able to rely your trust on proof.

[Atruk]

i wanted to get serious about securing my bitcoins. so i bought an ubuntu notebook with the intention of keeping it offline to store my coins, keeping all wallet/backups all offline.

in the interest of preventing malware from ever entering my machine, i wanted to download whatever i needed onto a flash drive and put it on the offline machine. so i wanted to authenticate the download of bitcoin QT... that further required download of GPG4WIN (openPGP) to verify the signature when downloaded.

so i downloaded GPG4WIN and used sha1 checksum to verify its integrity. i installed it and ran kleopatra.

so i figured since GPG4WIN provides an OpenPGP signature for its downloads, that i would start with that. here's the problem --

when i go to import the .sig file, i can't. .sig is supposed to be openPGP, but kleopatra only seems to allow importation of .asc, .cer, .cert, .crt, .der, .pem, .gpg. is that right? am i missing something?

so i figured, maybe i am going about this wrong? i go to decrypt/verify files. the binary and signature file are in the same folder. when i go to decrypt/verify, i get the message "Not enough information to check signature validity." when i click to show details, it says "Signed on ... with unknown certicate ... The signature is invalid: No public certificate to verify the signature."

can someone explain what i am missing?

i feel like i am supposed to get GPG4WIN's public certificate and import it, after which it will be able to verify correctly. but what do i do with this .sig file?!?! i can't seem to find any public certificates posted at gpg4win.org.

this is going to be the end of me. bitcoin and associated technology is so frustrating in how difficult to use it is for the average user.

 

If you are using Ubuntu you really shouldn't be able to run GPG4win.

What you want to do since somehow this software stack is working is import the public keys, but not just GPG's. You want to import the public keys that each program is signed with. The thing about GPG unlike the shitty x.509 system you don't start with signed root certificates, so you will have to import public keys from every party whose signatures you will want to check.

GPG is handling the .sig fine it seems. If you want a really nice GUI frontend for GPG I recommend setting up the Geany text editor with the Geany GPG extension. I've had a guide to setting it up here: http://www.thedrinkingrecord.com/2013/10/31/signature-thursday-geany-a-gui-text-editor-for-gpg-tasks/

[figmentofmyass]

thank you for your replies

re ubuntu, my online machine is windows, i planned to verify signatures on my online machine before transferring to offline machine

so gpg4win.org, i found, says the signatures have been created with the following OpenPGP certificate: Intevation File Distribution Key (Key ID: EC70B1B8) [https://ssl.intevation.de/]

so i go to import the public OpenPGP key for signing files provided there. it appears to have imported correctly (imported: 1, shows up under "other certificates as openPGP).

now, when i go to decrypt/verify, i get a new message. still "Not enough information to check signature validity." in details, it says "signed on ..... by distribution-key@intevation.de (KEY ID: 0xEC70B1B8). The validity of the signature cannot be verified."

ok. so what does this tell me? gpg4win says it should be signed by intevation.de -- Kleopatra says it is, right? gpg4win says it should be signed by EC70B1B8 -- it is, right? (i think i recall reading that 0x is just a prefix -- so it is the same key ID, right?)

still it says the validity of the signature cannot be verified. but by all appearances, the file is signed by the party that it was supposed to have been signed by. ......right? i'm thinking this is as good as it gets?

sorry to be such a noob!! i'm learning a lot though!!

[meinsenf]

You missed Step 3. You have to confirm the key. This means you have to ensure the key is trusted. This may be the case if others signed the key and you trusted them. But this is very probable not the case. So you need to sign/confirm the key yourself.

- Open Kleopatra
- Find the key in tab "Other Certificates"
- Right click the key to open the context menu
- Here select "Confirm Certificate"
- Now follow procedure indicated by the program.
Note: That my kleopatra installation does not use English language, so menu entries I specify may have slightly different names. Note also that by confirming the key you say "I know this key is the key from Intevation". Thats a bit of a lie. But at least you can restrict the lie to yourself during confirmation of the key.

[figmentofmyass]

i got it to confirm validity, but it seems very trivial, since it was only based on my own certification.

i just created a new certificate/keypair, set the intevation.de certificate to full trust, then certified it with my own key. now when i go to decrypt/verify, it says "All operations completed. gpg4win signed by distribution-key@intevation.de (KEY ID: 0xEC70B1B8). The signature is valid and the certificate's validity is full trusted."

regardless, this is about the extent of due diligence that i can do, right?

[figmentofmyass]

You missed Step 3. You have to confirm the key. This means you have to ensure the key is trusted. This may be the case if others signed the key and you trusted them. But this is very probable not the case. So you need to sign/confirm the key yourself.

- Open Kleopatra
- Find the key in tab "Other Certificates"
- Right click the key to open the context menu
- Here select "Confirm Certificate"
- Now follow procedure indicated by the program.
Note: That my kleopatra installation does not use English language, so menu entries I specify may have slightly different names. Note also that by confirming the key you say "I know this key is the key from Intevation". Thats a bit of a lie. But at least you can restrict the lie to yourself during confirmation of the key.

thanks so much! this is what i have done.

so now i can confirm that the binary was signed by the party the publisher said it should be signed by.

[meinsenf]

i got it to confirm validity, but it seems very trivial, since it was only based on my own certification.

i just created a new certificate/keypair, set the intevation.de certificate to full trust,

I recommend to remove the full trust from intevation certificate. This trust is related to how you trust them to validate/confirm other keys. It has no meaning for this signature validation.

then certified it with my own key. now when i go to decrypt/verify, it says "All operations completed. gpg4win signed by distribution-key@intevation.de (KEY ID: 0xEC70B1B8). The signature is valid and the certificate's validity is full trusted."

regardless, this is about the extent of due diligence that i can do, right?

Well yes, probably. If you trust this forum and me you may believe that the fingerprint of the intevation key is "61AC3F5EE4BE593C13D68B1E7CBD620BEC70B1B8" (I also found and imported that key. This fingerprint does my software show). Then you can validate this using "Certificate Details" from context menu (right click) of this key. There you should find the same fingerprint.

[figmentofmyass]

i got it to confirm validity, but it seems very trivial, since it was only based on my own certification.

i just created a new certificate/keypair, set the intevation.de certificate to full trust,

I recommend to remove the full trust from intevation certificate. This trust is related to how you trust them to validate/confirm other keys. It has no meaning for this signature validation.

i understand. thanks!

then certified it with my own key. now when i go to decrypt/verify, it says "All operations completed. gpg4win signed by distribution-key@intevation.de (KEY ID: 0xEC70B1B8). The signature is valid and the certificate's validity is full trusted."

regardless, this is about the extent of due diligence that i can do, right?

Well yes, probably. If you trust this forum and me you may believe that the fingerprint of the intevation key is "61AC3F5EE4BE593C13D68B1E7CBD620BEC70B1B8" (I also found and imported that key. This fingerprint does my software show). Then you can validate this using "Certificate Details" from context menu (right click) of this key. There you should find the same fingerprint.

that is what i find. thank you!