0

There are CHECKSUMS.TXT and CHECKSUMS.TXT.gpg files available on the Clonezilla Live's official download page.

However I cannot verify its signature by usual verify command:

$ gpg --verify --keyring ./CHECKSUMS.TXT.gpg ./CHECKSUMS.TXT
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

and

$ gpg --verify ./CHECKSUMS.TXT.gpg
gpg: no signed data
gpg: can't hash datafile: No data

How can I verify the CHECKSUMS.TXT file's integrity using CHECKSUMS.TXT.gpg file that is available on Clonezilla Live's official web site?

Improve this question
1
  • Have you tried gpg --verify ./CHECKSUMS.TXT.gpg ./CHECKSUMS.TXT?
    – user2313067
    Commented Feb 12, 2017 at 8:54

1 Answer 1

Reset to default
0

Clonezilla uses a detached signature. The GPG manual has a paragraph on detached signatures, which shows how to create them, and how to verify them.

The correct command line to verify such signatures is gpg --verify ./CHECKSUMS.TXT.gpg ./CHECKSUMS.TXT.

I've never before seen the gpg --verify --keyring ./CHECKSUMS.TXT.gpg ./CHECKSUMS.TXT line, which attempts to verify a signed file (containing both the signature and the original document) ./CHECKSUMS.txt while adding the keys in the ./CHECKSUMS.TXT.gpg to the keyring.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .