Author Topic: Unable to 'gpg --verify' the installation file.  (Read 45 times)

awanro

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Unable to 'gpg --verify' the installation file.
« on: November 03, 2018, 06:45:06 PM »
Tried the following terminal command:

     awanros-MacBook-Pro:Downloads awanro$ gpg --verify qbittorrent-4.1.3.dmg.asc
     gpg: no signed data
     gpg: can't hash datafile: No data

It seems the installation file has not been signed by the developer.

Have gnupg2 installed via macports.

I downloaded the PGP Signature File.

I imported the developer's public key.

Tried this command to see the Signature File contents:

awanros-MacBook-Pro:Downloads awanro$ cat qbittorrent-4.1.3.dmg.asc

-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE2PPad6rGdBBTWZwTbkotAlt8yaIFAluhfUEACgkQbkotAlt8
    ........etc        ........etc      ........etc     .......etc               
0FZFCcz8ljZe6K93fgUveqkBoh+QWhHSAzLpgrF7772cv4/u6DE=
=M1W3
-----END PGP SIGNATURE-----

What terminal commands do I use with this downloaded Signature File to verify the downloaded  qBittorrent installation file?

chrstphrchvz

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Unable to 'gpg --verify' the installation file.
« Reply #1 on: November 19, 2018, 01:18:48 PM »
Where is the qbittorrent-4.1.3.dmg file you downloaded? If you don't specify where it is, and it's not in the same directory as the .asc signature file, then you will get the error:
Code: [Select]
$ gpg --verify qbittorrent-4.1.3.dmg.asc
gpg: no signed data
gpg: can't hash datafile: No data

If both the .asc and .dmg were in the same directory, then your command would have worked:
Code: [Select]
$ gpg --verify qbittorrent-4.1.3.dmg.asc
gpg: assuming signed data in 'qbittorrent-4.1.3.dmg'
gpg: Signature made Tue Sep 18 17:33:37 2018 CDT
gpg:                using RSA key D8F3DA77AAC6741053599C136E4A2D025B7CC9A2
gpg: Good signature from "sledgehammer_999 (Used for signing git commits/tags/etc) <[email protected]>" [unknown]
gpg:                 aka "sledgehammer999 (Used for signing qBittorrent source tarballs and binaries v2.) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D8F3 DA77 AAC6 7410 5359  9C13 6E4A 2D02 5B7C C9A2

Notice that first line: assuming signed data in 'qbittorrent-4.1.3.dmg'. If it's not in the same directory, then you must specify exactly where you downloaded the qbittorrent dmg file to, i.e. gpg --verify some/path/foo/qbittorrent-4.1.3.dmg.asc some/path/bar/qbittorrent-4.1.3.dmg

This is all described in man gpg.