Highlight

2025-11-05

GPG - GNU Privacy Guard

GPG is an open source version of PGP - Pretty Good Privacy - which uses public-private key pairs to sign hashes or encrypt content to verify integrity and origin.

Today with help from ChatGPT I finally used it in Git Bash on Windows 11 to verify the Cygwin installer in order to install GCC to compile the backend for Grafana to test a patch for a label regression in 1.6.

First inspect and remember the public keys, lest you get "gpg: Can't check signature: No public key":

C@MSI MINGW64 ~/Documents/code/GitHub/grafana (main)
$ gpg --show-keys "C:\Users\C\Downloads\cygwin_pubring.asc.txt"
pub   dsa1024 2008-06-13 [SC] [expired: 2022-09-03]
      1169DF9F22734F743AA59232A9A262FF676041BA
uid                      Cygwin <cygwin@cygwin.com>
sub   elg1024 2008-06-13 [E] [expired: 2022-09-03]

gpg: WARNING: No valid encryption subkey left over.
pub   rsa4096 2020-02-27 [SC] [expires: 2027-02-27]
      56405CF6FCC81574682A5D561A698DE9E2E56300
uid                      Cygwin <cygwin@cygwin.com>
C@MSI MINGW64 ~/Documents/code/GitHub/grafana (main)


$ gpg --import "C:\Users\C\Downloads\cygwin_pubring.asc.txt"
gpg: /c/Users/C/.gnupg/trustdb.gpg: trustdb created
gpg: key A9A262FF676041BA: public key "Cygwin <cygwin@cygwin.com>" imported
gpg: key 1A698DE9E2E56300: public key "Cygwin <cygwin@cygwin.com>" imported
gpg: Total number processed: 2
gpg:               imported: 2
gpg: no ultimately trusted keys found
GPG is just noting that the encryption subkey [E] has expired. Key capabilities:
LetterMeaningDescription
SSignUsed to create digital signatures — for signing messages or files (like the .sig file from Cygwin).
CCertifyUsed to sign other keys — e.g. when one key "certifies" that another key belongs to someone (building the “web of trust”). Usually part of the primary key’s role.
EEncryptUsed to encrypt data so only the matching private key can decrypt it. Typically found on a subkey.
AAuthenticateUsed to prove identity in secure communication (e.g. SSH or email authentication). Not common on signing keys for software releases.

Then verify the signature of the executable:

C@MSI MINGW64 ~/Documents/code/GitHub/grafana (main)
$ gpg --keyid-format=long --with-fingerprint --verify /C/Users/C/Downloads/setup-x86_64.exe.sig /C/Users/C/Downloads/setup-x86_64.exe
gpg: Signature made Thu, May 22, 2025  4:49:21 PM WEDT
gpg:                using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <cygwin@cygwin.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5640 5CF6 FCC8 1574 682A  5D56 1A69 8DE9 E2E5 6300
Posted by at
Labels: , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)