How to verify .asc using windows?

No_wayman · July 1, 2017, 8:02am

Hi there,
I need some help to verify the download…
i tried gpg4win but I am confused on how to use the link to the public signature.
Does anyone have a noobs step by step to verifying the download??

Cheers

alexej996 · July 1, 2017, 11:44am

I have never used windows for this, but I am going to try and predict how it is used, so it is very possible it won’t work, but hopefully you will figure it out.

It seems like gpg4win is a collection of many tools. I assume you will just need GnuPG when installing it, that is the only required one. Then just like in Linux I assume you can start it from the console.

To open a console press cmd+r (windows button + r ) and type in the field cmd and press enter (or click run)
Navigate to the folder where gpg4win is installed and find a program I assume is called something like GnuPG.exe ( you change a directory with a command “cd [name of directory]” , you list files in the directory with “dir”)
When you are in the same folder as GnuPG.exe or whatever it is called, type in the command window “GnuPG.exe --import [location of F379A1C6.asc]”. That is a file which contains Manfred’s public key
To verify the download type “GnuPG.exe --verify [location of Bisq-64bit-0.5.1.exe.asc] [Bisq-64bit-0.5.1.exe]”. If it returns that it is a good signature, but that there is no indication the key belongs to the owner or something like that. Then that is ok, it just means you haven’t sign Manfred’s key with your own.

To be more sure you downloaded the right key you can type “GnuPG.exe --fingerprint F379A1C6” and it should return “1DC3 C8C4 316A 698A C494 039C F5B8 4436 F379 A1C6”.

EDIT: Changed angle brackets <, > to square brackets [, ] since the forum software didn’t show what was written inside.

shrike · July 1, 2017, 11:49am

i think gpg4win installs gpg and its available in the PATH.
i find the gui tools are confusing for gpg so i use the command line :

so basicly what alex said. maye try gpg instead. eg.

gpg --import F379A1C6.asc
gpg --verify Bisq-64bit-0.5.1.exe.asc

In the output you need to look for is a “good signature”. you can ““ignore”” the warning about not being certified.

release signing key
https://bisq.io/pubkey/F379A1C6.asc

No_wayman · July 2, 2017, 12:05am

OK cool. I think I understand…
find gpg program.
use dos prompt

– now, which directory do i goto?? the one with the F379A1C6.asc?? or the opne with the gpg.exe file??
– and how do we download F379A1C6.asc. when i click on the link it comes up in a webpage and I cant download F379A1C6.asc. This is what stumbles me… If I could get this file I imagine i could drag it to the folder of the gpg.exe and then run the above commands…

gpg --import F379A1C6.asc
gpg --verify Bisq-64bit-0.5.1.exe.asc

am i missing something??
cheers !!

alexej996 · July 2, 2017, 9:39am

You go to the directory of gpg.exe

If your browser opens a file instead of downloading it, you can click right click on that page (on the text of F379A1C6.asc) and click “Save Page As…”.

Yes you can drag it to the folder where gpg.exe is at and just run "gpg.exe --import F379A1C6.asc"
And “gpg.exe --verify Bisq-64bit-0.5.1.exe.asc” (it will assume Bisq-64bit-0.5.1.exe as the second argument).

EDIT: In windows it would be gpg.exe instead of just gpg.

No_wayman · July 2, 2017, 10:57am

Cool so it imported ok now, but it had some verify error…
I copied both bisq.exe file and the .asc file into that same directory to no avail??

is it supposed to be
gpg --verify Bisq-64bit-0.5.1.exe.asc
OR
gpg --verify Bisq-64bit-0.5.1.exe

alexej996 · July 2, 2017, 11:25am

Make sure that is the right name and that it is there with “dir”
You can also try “gpg --verify Bisq-64bit-0.5.1.exe.asc Bisq-64bit-0.5.1.exe”, but that should give the same result.

No_wayman · July 2, 2017, 11:47am

Yep all in there… no joy…

alexej996 · July 2, 2017, 11:57am

There is no Bisq-64bit-0.5.1.exe.asc in the folder only Bisq-64bit-0.5.1.exe

You need to download it as well and place it in the same folder. It is listed right below the Bisq-64bit-0.5.1.exe

No_wayman · July 2, 2017, 12:01pm

YAY…
I thought i was doing something sillly…
Thanks looks like its all good!!!

alexej996 · July 2, 2017, 12:03pm

Also you can run “gpg --refresh-keys” to get rid of the “Note: This key has expired!”

No_wayman · July 2, 2017, 12:04pm

Im not sure why id want to . all I really care is that it is legit right??

alexej996 · July 2, 2017, 12:06pm

Well yes, but keys have an expiration date, they become more likely to become cracked over time. That’s why it is important to have a key that has not expired.

No_wayman · July 2, 2017, 12:09pm

Done… all looks good!!

alexej996 · July 2, 2017, 12:10pm

Congratulations!

No_wayman · July 2, 2017, 12:12pm

Do most people do all this or do you think they just dont bother??
Im not computer iliterate but this was a lil painfull…

Well I hope someone out there see and learns I know I certainly have… thanks agian.!!!

alexej996 · July 2, 2017, 12:19pm

You get used to it Besides you don’t need to do all of that every time, it is just “gpg --verify” that verifies the file, the rest was just because it was the first time you used Manfred’s key.

I don’t think most people bother, but it really isn’t very hard. You have like 3 commands: download the key, update it and then verify whatever files you need. Other troubles you went through was just common path problems everyone using a console can have and not understanding what you need. But now it should be trivial for you too check every signature in like a minute.

No_wayman · July 2, 2017, 12:25pm

Yep for sure…Now that I know it Ill for sure use it every time…
I noticed other people use .sig files (and other extensions), is it the same process?

The sha1 check is easy enough… you run the sha command on the file and it spits out the key. But apparently sha is not secure anymore??

alexej996 · July 2, 2017, 12:41pm

Yes it is a same process. It is actually the same file, you can just rename it to .asc if you wish. I don’t think that gpg assumes the path for a file when .sig is the signature file, but you can just rename it to .asc or add the second argument to the “gpg --verify” with the name of the file you are checking, like I mentioned above.

sha1 check is a hash check and it is something quite different, but it is not secure anymore even as a hash check. You can see here 2 different files with a same sha1 hash

It is recommended to at least use SHA2 , but that is not the same type of check we are talking about here. This public key signature check actually uses hash check as well, but then checks if it was signed with that public key.

Hash functions like SHA1 just return a value that should be unique to every file, but you can not be sure if it is coming from the same person you think it is or from somebody else intercepting your connections. When a file is signed with a public key, only the owner of the private key was able to sign it. And only he knows the private key as he created both private and public key together to have such a mathematical property. It is then just up to you validating the authenticity of that public key belonging to who it says it is. This is the exact warning you are receiving, you haven’t singed it with your master private key as a valid public key. You will have to meet Manfred in person to be 100% sure that it belongs to him.