How to verify download using signature

40 views
Skip to first unread message

Steve E

unread,
Mar 19, 2021, 12:07:30 PMMar 19
to RubyInstaller
Hi,

I have downloaded the .asc file and the .exe for the installer, now I want to verify the installer is not tampered with.  How do I do that?  I was not able to find instructions for this on the website.

Some steps I found:
gpg --import ci.ri2-package-signing-key.asc
gpg --verify ci.ri2-package-signing-key.asc rubyinstaller-devkit-2.7.2-1-x64.exe

The problem I have is that the import says "gpg: key E11AE6CF30B77F3A: 1 signature not checked due to a missing key" and I have no idea how to address this.  Attempting the verify anyway results in "gpg: verify signatures failed: Unexpected error"

I'm attempting this from a cygwin bash if that makes any difference.  My gpg is:

gpg (GnuPG) 2.2.27
libgcrypt 1.8.7
Copyright (C) 2021 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: .../gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Lars Kanis

unread,
Mar 19, 2021, 12:35:36 PMMar 19
to RubyInstaller
That's a good question! I added a link to the wiki in the RubyInstaller download page. Is this OK for you? Does it work?

--
You received this message because you are subscribed to the Google Groups "RubyInstaller" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyinstalle...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyinstaller/05bde22e-830a-46d6-b9b7-909d751405fan%40googlegroups.com.

Steve E

unread,
Mar 19, 2021, 6:13:55 PMMar 19
to RubyInstaller
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2265  100  2265    0     0   2265      0  0:00:01 --:--:--  0:00:01 13245
gpg: key E11AE6CF30B77F3A: 1 signature not checked due to a missing key
gpg: key E11AE6CF30B77F3A: public key "ci.ri2 package signing key" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found

$ gpg --verify ci.ri2-package-signing-key.asc rubyinstaller-devkit-2.7.2-1-x64.exe
gpg: verify signatures failed: Unexpected error

I don't have a file rubyinstaller-devkit-2.7.2-1-x64.exe.asc, the download only gave me the .exe file

Steve E

unread,
Mar 19, 2021, 7:09:12 PMMar 19
to RubyInstaller
Got it.

The little hamburger menu next to the download opens up to show the sig file for that download.  For some reason I never noticed that or thought to look inside it.  I pulled down the .asc file, used the correct command, and got:

$ gpg --verify rubyinstaller-devkit-2.7.2-1-x64.exe.asc rubyinstaller-devkit-2.7.2-1-x64.exe
gpg: Signature made 10/6/2020 11:33:35 AM ric
gpg:                using RSA key A2A9BAD21B8D41522FE07214E11AE6CF30B77F3A
gpg: Good signature from "ci.ri2 package signing key" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A2A9 BAD2 1B8D 4152 2FE0  7214 E11A E6CF 30B7 7F3A

So the only remaining issue is the thing about not having a trusted cert chain for the sig, but I'm going to ignore that for now.  If someone gets as far as the FAQ it might as well nudge them to open the hamburger menu to find the .asc file.

Thanks for the help!  Ruby is my favorite language so I want it everywhere I go ;-)

Reply all
Reply to author
Forward
0 new messages