Monday, December 3, 2012

What To Do With .sign Or .asc Files

AKA: How To Deal With .sign or .asc File Extensions

Didn't find much help with this, and what I did find didn't work, so here's what did work for me.

First off, be aware that .sign and .asc files have to do with signed files and are used to help verify or authenticate a file as true and original.

Secondly, be aware that a file can in itself be signed or be accompanied by a file that handles the signing.  In the former case, the original file is modified and given the .sign or .asc extension.  If the latter case, the original file is untouched and accompanied by a file of the same name but with a .sign or .asc extension added.

Regardless of whether there is 1 or 2 files involved, the command and options used to verify is the same!  This was contrary to many suggestions I found elsewhere.  For example, if you download foobar.tar.bz2 and foobar.tar.bz2.sign then you can do the following.
$ gpg --verify foobar.tar.bz2.sign
Now this will either work because you already have the appropriate key or fail with some message noting a DSA key ID.  In the failure case, continue as follows.
$ gpg --keyserver --recv-key <DSA key ID>
Of course, replace <DSA key ID> with the appropriate value which should be something like "ACC9965B".  Also, feel free to replace "" with some other gpg key server.  Now repeat the first command:
  $ gpg --verify foobar.tar.bz2.sign
Done!  Your file will either pass or fail verification.


All this really does is verify that the file is in it's original form as supplied by somebody identified by the given DSA key.  Whether or not you trust that the identified person is true, real, and trustworthy is up to you.  For example, if the DSA key identifies John Doe [] and you happen to know that John Doe works for Acme Corp then you can probably trust this whole process.  But if the DSA key points to Joe Blow [], then.....well, your call.

I found many suggestions to handle the 2 file case as follows:
$ gpg --verify foobar.tar.bz2.sign foobar.tar.bz2
Which just yielded the error "gpg: not a detached signature" because gpg thinks both files are signed. Maybe this works for other versions of gpg but it didn't for mine. My version of gpg is given below.
$ gpg --version
gpg (GnuPG) 1.4.10
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>
For more details, as always:
$ man gpg

No comments:

Post a Comment