GPG fingerprint verification

Linux and openwrt question kind of…

https://openwrt.org/docs/guide-user/security/release_signatures


gpg --with-fingerprint --verify sha256sum.asc sha256sum

When I run this code I get a OK on the sha256sums and it shows the fingerprint.
But gpg also make a third result line that say it can’t verify the fingerprint because it have noting to compare it with.

So now I manually compare it with the fingerprint on the fingerprint page, it works but it doesn’t feel like Linux tech😂.
But that fingerprint page we have also have a downloadable fingerprint file.

So, shouldn’t it be possible to run all tree files in the gpg since it already ask for it?

And do any linux guru know how what to write in the commands for that, should I just have a link to the third fingerprint file in the end? I have tried to read the gpg debian manual but this function isn’t really that obvious in the functions?

I’m I supposed to download the public fingerprint file and import it to gpg keyring to have gpg use it to compare the sha256sums fingerprint?

I worked on this and found a way. The gpg key must be imported to the gpg keyring (not to be confused with apt key ring!)

  1. Download the public gpg key file for the release you are working on from OpenWRT homepage.

  2. Save it as “some filename”.gpg file.

  3. Import it to the linux computer you use to build the image on with this command
    sudo gpg --import “some filename”.gpg

  4. Veryfy the OpenWRT key is installed with
    sudo gpg --list-key

Now the gpg sha256 test should evaluate the key also.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.