gpg 版本 2.1.18;Debian 伸展
从https://cygwin.com/key/pubring.asc正式导入的公钥
我从https://cygwin.com/install.html下载了一对 cygwin 安装文件,他们通过了验证测试:
即gpg --verify setup-x86_64.exe.sig setup-x86_64.exe没有产生任何不愉快...
那时我很高兴,应该停在那里。但是,我注意到在 安装和更新 Cygwin 软件包页面的签名密钥转换部分中,有一个指向Cygwin-announce 邮件列表中消息的链接(https://sourceware.org/pipermail/cygwin-announce/2020-March /009447.html )。
好吧,尽我所能,我无法以我认为正常的方式验证所述消息 - 即我将所述消息保存到文本文件(cygwin.asc),从-----BEGIN PGP SIGNED MESSAGE- 开始----行并以-----END PGP PUBLIC KEY BLOCK-----行结尾,然后运行
gpg --verify cygwin.asc
结果是:
gpg: Signature made Fri 13 Mar 2020 09:44:49 AM MDT
gpg: using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: Good signature from "Cygwin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
gpg: Signature made Fri 13 Mar 2020 09:44:49 AM MDT
gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5640 5CF6 FCC8 1574 682A 5D56 1A69 8DE9 E2E5 6300
gpg: verify signatures failed: Unexpected error
我可以消除的唯一方法说
gpg: verify signatures failed: Unexpected error
squawk 将在所述cygwin.asc文件中截断消息的公钥部分(从而创建cygwin-no-pubkey.asc文件)。
然后:
$ gpg --verify cygwin-no-pubkey.asc
gpg: Signature made Fri 13 Mar 2020 09:44:49 AM MDT
gpg: using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: Good signature from "Cygwin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
gpg: Signature made Fri 13 Mar 2020 09:44:49 AM MDT
gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5640 5CF6 FCC8 1574 682A 5D56 1A69 8DE9 E2E5 6300
这对我来说看起来很酷!
这里发生了什么?为什么我必须从主题消息中删除公钥块才能获得好处?我找了几个小时,包括这里没有快乐!:
最后一行说明
gpg: verify signatures failed: Unexpected error遇到非签名gpg --verifyOpenPGP 数据(公钥块)时的结果,但这并不否定先前显示签名已成功验证的输出。这是预期的行为。Cygwin 可以在他们的说明中包含一个声明(它表示将明文签名的文本和公钥块保存在同一个文件中),以提醒用户注意这一点。