How to verify download using signature

[Steve E]

Hi,

I have downloaded the .asc file and the .exe for the installer, now I want to verify the installer is not tampered with.  How do I do that?  I was not able to find instructions for this on the website.

Some steps I found:

gpg --import ci.ri2-package-signing-key.asc

gpg --verify ci.ri2-package-signing-key.asc rubyinstaller-devkit-2.7.2-1-x64.exe

The problem I have is that the import says "gpg: key E11AE6CF30B77F3A: 1 signature not checked due to a missing key" and I have no idea how to address this.  Attempting the verify anyway results in "gpg: verify signatures failed: Unexpected error"

I'm attempting this from a cygwin bash if that makes any difference.  My gpg is:

gpg (GnuPG) 2.2.27

libgcrypt 1.8.7

Copyright (C) 2021 g10 Code GmbH

License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Home: .../gnupg

Supported algorithms:

Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA

Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,

        CAMELLIA128, CAMELLIA192, CAMELLIA256

Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224

Compression: Uncompressed, ZIP, ZLIB, BZIP2

[Lars Kanis]

That's a good question! I added a link to the wiki in the RubyInstaller download page. Is this OK for you? Does it work?

--
You received this message because you are subscribed to the Google Groups "RubyInstaller" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyinstalle...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyinstaller/05bde22e-830a-46d6-b9b7-909d751405fan%40googlegroups.com.

[Steve E]

$ curl https://rubyinstaller.org/ci.ri2-package-signing-key.asc | gpg --import

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

100  2265  100  2265    0     0   2265      0  0:00:01 --:--:--  0:00:01 13245

gpg: key E11AE6CF30B77F3A: 1 signature not checked due to a missing key

gpg: key E11AE6CF30B77F3A: public key "ci.ri2 package signing key" imported

gpg: Total number processed: 1

gpg:               imported: 1

gpg: no ultimately trusted keys found

$ gpg --verify ci.ri2-package-signing-key.asc rubyinstaller-devkit-2.7.2-1-x64.exe

gpg: verify signatures failed: Unexpected error

I don't have a file rubyinstaller-devkit-2.7.2-1-x64.exe.asc, the download only gave me the .exe file

[Steve E]

Got it.

The little hamburger menu next to the download opens up to show the sig file for that download.  For some reason I never noticed that or thought to look inside it.  I pulled down the .asc file, used the correct command, and got:

$ gpg --verify rubyinstaller-devkit-2.7.2-1-x64.exe.asc rubyinstaller-devkit-2.7.2-1-x64.exe

gpg: Signature made 10/6/2020 11:33:35 AM ric

gpg:                using RSA key A2A9BAD21B8D41522FE07214E11AE6CF30B77F3A

gpg: Good signature from "ci.ri2 package signing key" [unknown]

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

Primary key fingerprint: A2A9 BAD2 1B8D 4152 2FE0  7214 E11A E6CF 30B7 7F3A

So the only remaining issue is the thing about not having a trusted cert chain for the sig, but I'm going to ignore that for now.  If someone gets as far as the FAQ it might as well nudge them to open the hamburger menu to find the .asc file.

Thanks for the help!  Ruby is my favorite language so I want it everywhere I go ;-)