gpg --verify之"Can't check signature: No public key"

自從XcodeGhost之后下載軟件之后也會先驗證一下md5sum，現在發現后面還有gpg簽名，於是也開始學習一下。

• gpg的文件在centos6.4上是默認安裝的，其安裝使用可以參照ruanyifeng的文章。

這里主要講一下怎么對下載的文件進行驗證。

• 首先當然是下載安裝文件，這次下載的使用wso2的data service server 3.2.1，下載地址。

• 然后是打開gpg文件，如下圖1所示，將這個文件也下載下來

• 在term下面執行gpg --verify wso2dss-3.2.1.zip.asc，可以得到如下的提示

    gpg: Signature made Tue 13 May 2014 05:06:11 AM PDT using RSA key ID 2B2458BF
    gpg: Can't check signature: No public key

• 原因是沒有2B2458BF這個KEY ID的公鑰，於是可以使用以下語句下載公鑰

    $ gpg --search-keys 2B2458BF
    gpg: searching for "2B2458BF" from hkp server keys.gnupg.net
    gpg: keyserver timed out
    gpg: keyserver search failed: Keyserver error

• 發現錯誤，可能是端口的問題，參照此文的解答，使用以下命令下載公鑰。

    $ sudo gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 2B2458BF
    gpg: directory `/root/.gnupg' created
    gpg: new configuration file `/root/.gnupg/gpg.conf' created
    gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
    gpg: keyring `/root/.gnupg/secring.gpg' created
    gpg: keyring `/root/.gnupg/pubring.gpg' created
    gpg: requesting key 2B2458BF from hkp server keyserver.ubuntu.com
    gpg: /root/.gnupg/trustdb.gpg: trustdb created
    gpg: key 2B2458BF: public key "Anjana Fernando (LA_F) 
  
  
  
          
            " imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) 
          

• 再進行校驗，就可以得到成功的信息。

    $ sudo gpg --verify wso2dss-3.2.1.zip.asc 
    gpg: Signature made Tue 13 May 2014 05:06:11 AM PDT using RSA key ID 2B2458BF
    gpg: Good signature from "Anjana Fernando (LA_F) 
  
  
  
          
            " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 56EA 3B61 4CC4 7875 A865 0858 8E1A ACF4 2B24 58BF