2

I tried the following steps from Verifying Signatures on the Tor Project:

gpg.exe --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290

  imported: 1

gpg.exe --fingerprint 0x4E2C6E8793298290

  pub   4096R/93298290 2014-12-15 [expires: 2020-08-24]
  Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
  uid       [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
  sub   4096R/D9FF06E2 2018-05-26 [expires: 2020-09-12]

gpg.exe --verify C:\Users\Cyn\Desktop\torbrowser-install-win64-8.0.4_en-US.exe.asc

  gpg: no signed data
  gpg: can't hash datafile: No data

The file looks like this:

-----BEGIN PGP SIGNATURE-----

blah blah blah/E =oakm

-----END PGP SIGNATURE-----

So what have I done wrong?

Dr-Bracket
  • 182

1 Answers1

8

It's a detached signature and you need the data.

The Tor package signatures, like many other package signatures using PGP/GPG you will find on the net, are what PGP/GPG calls a detached signature -- the data is in one (often large) file, and the signature is in a second, separate (small) file. That's why there are two download links (or buttons) -- one for the actual software package and one for the separate/detached signature. In order to verify a detached signature on data you also need the data (and the public key); e.g. for Windows you need 

torbrowser-install-win64-8.0.4_en-US.exe -- the (relevant) data file 
torbrowser-install-win64-8.0.4_en-US.exe.asc -- the signature

Notice how the filenames have the same base, but the signature has .asc added at the end. If you run gpg[.exe] --verify file.asc where file.asc is a detached signature, gpg automatically looks for the data in file -- and fails if it's not there. (Similarly for file.sig and file for a binary aka 'unarmored' signature.)

The page you link actually says "Assuming you downloaded the package and its signature to your Desktop ..." Notice package AND its signature.

If you actually have the data file but under a different name (including a different directory), or if it's under the defaulted name but you want to be explicit (which the GPG manual now recommends), specify both filenames: 

 gpg[.exe] --verify sigfile.asc datafile
dave_thompson_085
  • 4,082