-1

我想验证下载https://nginx.org/download/nginx-1.21.6.zip使用签名密钥https://nginx.org/download/nginx-1.21.6.zip.asc(得到两个链接来自https://nginx.org/en/download.html)。

我从https://nginx.org/keys/nginx_signing.key下载了签名密钥。

如何验证下载?

我尝试按照https://serverfault.com/questions/896228/how-to-verify-a-file-using-an-asc-signature-file#answers中概述的步骤进行操作,但没有得到相同的结果.

这是我所做的:

  1. 将 3 个文件下载到一个公共目录。
    https://nginx.org/download/nginx-1.21.6.zip
    https://nginx.org/download/nginx-1.21.6.zip.asc
    https://nginx.org/keys/nginx_signing.key
  2. gpg --keyid-format long --list-options show-keyring nginx_signing.key 
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa2048/ABF5BD827BD9BF62 2011-08-19 [SC] [expires: 2024-06-14]
      573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid                           nginx signing key <signing-key@nginx.com>

这让我想知道这是否可行,但我会继续。3.gpg --import nginx_signing.key

gpg: key ABF5BD827BD9BF62: 3 signatures not checked due to missing keys
gpg: Oops: lock already held by us
gpg: key ABF5BD827BD9BF62: public key "nginx signing key <signing-key@nginx.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found
gpg: Oops: lock already held by us
  1. gpg --verify nginx-1.21.6.zip.asc nginx-1.21.6.zip
gpg: Signature made Tue Jan 25 09:10:54 2022 CST
gpg:                using RSA key 520A9993A1C052F8
gpg: Can't check signature: No public key

这是我的 gpg 版本gpg --version

gpg (GnuPG) 2.2.29-unknown
libgcrypt 1.9.3-unknown
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /c/Users/username/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

我正在为 Windows 使用 bash。是的,我必须使用窗户。

4

0 回答 0