void-docs icon indicating copy to clipboard operation
void-docs copied to clipboard
verified publisher icon void-linux

Can't verify signature authenticity using provided minisign instructions

Open adigitoleo opened this issue 4 years ago • 0 comments

Following the installation guide at https://docs.voidlinux.org/installation/index.html, I can't verify the signature authenticity for the 2021/02 release (void-live-x86_64-20210218.iso). I've removed the first line, but minisign still doesn't like it.

❯ minisign -Vm sha256sum.txt -f -p void-release-20210218.pub
Error while loading the public key file
~/Downloads
❯ cat void-release-20210218.pub
RWRSNnH5WbLx1EWUgJGeccx/Dof1MH5k5tZFytMlIOgpRJvRxHJtMqrP
~/Downloads
❯ minisign -version
minisign 0.9

Refreshing the signature file and using signify instead worked:

❯ signify -C -p void-release-20210218.pub -x sha256sum.sig
Signature Verified
void-live-x86_64-20210218.iso: OK

Minisign by default wants a trusted comment instead of untrusted (probably the reason behind the recommendation in the guide to delete the first line):

❮ minisign -Vm sha256sum.txt -f -p void-release-20210218.pub
Trusted signature comment should start with "trusted comment: "
~/Downloads
❯ cat void-release-20210218.pub
untrusted comment: This key is only valid for images with date 20210218. public key
RWRSNnH5WbLx1EWUgJGeccx/Dof1MH5k5tZFytMlIOgpRJvRxHJtMqrP

adigitoleo avatar Oct 13 '21 08:10 adigitoleo