Hello Ranga,
Thank you for your post!
Results were successful!
However…
gpg: Good signature from "Tor Browser Developers (signing key)
<torbrow...@torproject.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Is this important? I downloaded both the .dmg and .asc files from the
Tor Project https website.
Thanks,
Dave
On 18 Apr 2023, at 18:33, Sriranga Veeraraghavan wrote:
Hi Dave,
In my experience, you shouldn't need anything more than GnuPG 2.x to
verify a signature stored in a .asc file. You should be able to
verify the signature stored in a .asc file as follows:
gpg --verify [.asc file] [.dmg file]
This assumes that you have the relevant public key in your GnuPG
keychain. If you do not have the relevant key in your keychain, you
will need to download it and import it:
gpg --import [key file]
Best,
-ranga
On Apr 18, 2023, at 17:08, dave c via macports-users
<macports-users@lists.macports.org> wrote:
I want to verify an installer .dmg file’s signature. I downloaded
both files (installer and signature) from the developer’s site.
I installed gpg tools and discovered that gpg is looking for a .sig
file, but the signature file available from the developer is an .asc
file.
I won’t describe the rabbit hole I went down of installing other
packages so to install apt-get which requires other packages be
installed first…
I’m not ignorant nor inexperienced using terminal but this time it
was just too far.
Looking for help to the shortest distance to my goal of verifying a
signature.
Thanks,
Dave
macOS 10.12.6 Sierra
