我知道分离的签名是由签名者的私钥生成的,并且您使用签名者的公钥来验证下载的文件。
例如
gpg --verify package_name.asc
签名是通过签名者的公钥来验证的,但是怎么gpg知道签名是属于下载的包呢?我错过了什么吗?
gpg将根据相同的文件名自动验证分离的签名,没有.asc或.sig扩展名。来自man gpg:
--verify
Assume that the first argument is a signed file or a detached signature and
verify it without generating any output. With no arguments, the signature
packet is read from STDIN. If only a sigfile is given, it may be a complete
signature or a detached signature, in which case the signed stuff is expected
in a file without the ".sig" or ".asc" extension. With more than 1 argument,
the first should be a detached signature and the remaining files are the
signed stuff. To read the signed stuff from STDIN, use '-' as the second
filename. For security reasons a detached signature cannot read the signed
material from STDIN without denoting it in the above way.
因此,gpg --verify package_name.asc预计签名文件可以作为package_name. 如果不是(或在其他位置),还请提供此文件的路径:
gpg --verify detached_siganture.asc signed_file
OpenPGP 不希望将文件名(或任何其他标识符)存储在签名中。但是:签名是签名文件的哈希和,用签名者的私钥加密,所以可以用他的公钥解密。如果解密的哈希和与用于验证的文件之一不匹配,则您知道该文件与已签名的文件不同(但由于选择错误而无法判断它是错误的文件,还是被篡改)。
| 归档时间: |
|
| 查看次数: |
9464 次 |
| 最近记录: |