Develop Reference

Verify TortoiseGit-2.8.0.0-64bit.msi with gpg2

I want to download and verify TortoiseGit-2.8.0.0-64bit.msi
I use gnupg2 (in Cygwin)
The TortoiseGit download page provides these files:
TortoiseGit-2.8.0.0-64bit.msi
TortoiseGit-2.8.0.0-64bit.msi.rsa.asc
I did the below to verify a download (but got: No public key):
$ gpg2 --auto-key-locate keyserver --keyserver-options auto-key-retrieve --
verify TortoiseGit-2.8.0.0-64bit.msi.rsa.asc TortoiseGit-2.8.0.0-64bit.msi
gpg: Signature made Thu, Feb 28, 2019 4:34:13 PM EST
gpg: using RSA key 74A21AE301B3CA5BD8072F5EF7F17B3F9DD9539E
gpg: requesting key F7F17B3F9DD9539E from hkp server keys.gnupg.net
gpg: Can't check signature: No public key
Since I don't have a .sig I tried and got:
$ gpg2 --import TortoiseGit-2.8.0.0-64bit.msi.rsa.asc
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
I can't understand how then to properly verify this download -- if anyone can show the correct method it would be greatly appreciated!
Thank you!

The key is available here: https://download.tortoisegit.org/keys.
As the MSI files are also signed using AuthentiCode, there is no real need for the GPG signatures for end users. - The GPG signatures are used by the auto-updater in order to verify the integrity of the update packages (despite the fact that those are also downloaded using HTTPs).
If you need another trust root, you can call TortoiseGitProc.exe /command:pgpfp in order to display the GPG fingerprint.

Visual studio makecert DES3 certificate

I'm tring to create certificate via Visual Studio Command Prompt to meet the following requirements :
• A valid, (not expired), X.509 signing certifi cate must be used (e-mail certifi cate).
• RSA public key (signature) algorithms using key lengths of 1024 bits (or larger).
• Message Digest Algorithm must be SHA1-RSA.
• Encryption algorithm is DES3 (triple DES).
• Key usage must include digital signature (for signing fi les) and key encipherment (for encrypting
the fi les).
• Certifi cate (Public Key Only) should be exported in the following format
» .p7c (* PKCS7 cryptographic message syntax standard certifi cate)
» .cer (DER encoded binary X.509 Certifi cate)
» .cer (Base64 encoded X.509 Certifi cate)
I have tried as :
makecert.exe -sv TestCert.pvk -n “Test Cert” -a sha1 -len 1024 -sky 2 -eku 1.6.6.9.2.8.0.3.9 TestCert.cer -r
pvk2pfx.exe -pvk TestCert.pvk -spc TestCert.cer -pfx TestCert.pfx -po Test123$
I also am reading from https://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.100).aspx
but so far I have no luck. I have done someting valid one while ago but don't seem to remember how. Can someone give me some tips or example will be great.
Thanks in advance.

The algorithm is named 3DES, not DES3.
The encryption algorithm can be applied at the stage of writing the private key to the disk in some format (like PEM or PFX). It's not a part of the certificate. This is why you can't find any option to do this.

How to compare a primary key fingerprint after verifying a signature with gpg?

I am new to cryptography in general, I have a question about the primary key fingerprint:
I have downloaded Apache Maven and, as they say in the download page, have verified the signature of the public key, using gpg:
user$ gpg --verify apache-maven-3.2.3-bin.tar.gz.asc apache-maven-3.2.3-bin.tar.gz
gpg: Signature made Tue Aug 12 00:59:35 2014 MSK using DSA key ID BB617866
gpg: Good signature from "Someone <email#maven.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FB11 D4BB 7B24 4678 337A AD8B C7BF 26D0 BB61 7866
Now, I read from http://www.apache.org/dev/release-signing#fingerprint that the primary key fingerprint is a digest of the key, easier to read and compare, but my question is:
How should I compare it? I mean, where should I found the counterpart against whom I should compare the fingerprint "FB11 D4BB 7B24 4678 337A AD8B C7BF 26D0 BB61 7866"?

The public keys of the Maven developers are linked on top of the download page.
It only contains the short IDs, which are not sufficient to verify keys, but help you at looking up which key was used. To do so, delete this key (it probably already was fetched from the key servers during verifying the signature):
gpg --delete-keys [keyid]
Now prepare importing this key, by copying the public key block matching to the key ID given above to a file of your choice. This file should afterwards contain:
-----BEGIN PGP PUBLIC KEY BLOCK-----
[snip]
-----END PGP PUBLIC KEY BLOCK-----
Now import using gpg --import [file]. Now run gpg --fingerprint [keyid], it should print the same fingerprint given in the output of the signature verification.

How can I validate an ECDSA signature using the signed data, signature and the signer ECDSA public key?

In theory it should be possible to validate the signature of a piece of data if in possesion of the public key, signature and data that was signed and the hash algorithm is known.
I have all these components in binary format. Does anybody have an idea about the easiest way to validate this signature? OpenSSL? Python? An example would be great. Can it be done without writing code?

Here's how you can do it in Ruby.
require 'openssl'
signature = File.read('/path/to/sig.der')
data = File.read('/path/to/data')
pub_key = File.read('/path/to/ecdsa_pub_key')
key = OpenSSL::PKey::EC.new(pub_key)
if key.dsa_verify_asn1(data, signature) == true
puts 'verified'
end
This code requires that the OpenSSL linked against Ruby be compiled with elliptic curve support. (Red Hat flavored distributions of Linux do not satisfy this requirement)
If you're curious: dsa_verify_asn1 uses the ECSDA_verify function in the OpenSSL API.

You can use openssl to sign a message with a ECDSA signature, and then you can use openssl to verify the signature:
To sign a message (using SHA256 hashing, given the message and the signer's EC private key):
openssl dgst -sha256 -sign ec-privatekey.pem message.txt > signature.der
Then, to verify the signature (again using SHA256 hashing, given the message, the signer's EC public key, and the signature created above):
openssl dgst -sha256 -verify ec-publickey.pem -signature signature.der message.txt

How to verify downloaded file with .sig file?

When I download GCC, it also has a .sig file, and I think it is provided to verify downloaded file.
(I downloaded GCC from here).
But I can't figure out how should I use it. I tried gpg, but it complains about public key.
[root#localhost src]# gpg --verify gcc-4.7.2.tar.gz.sig gcc-4.7.2.tar.gz
gpg: Signature made Thu 20 Sep 2012 07:30:44 PM KST using DSA key ID C3C45C06
gpg: Can't check signature: No public key
[root#localhost src]#
How can I verify downloaded file with .sig file?

You need to import public key: C3C45C06
Can be done in three steps.
find public key ID:
$ gpg gcc-4.7.2.tar.gz.sig
gpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06
gpg: Can't check signature: No public key
import the public key from key server. It's usually not needed to choose key server, but it can be done with --keyserver <server>. Keyserver examples.
$ gpg --recv-key C3C45C06
gpg: requesting key C3C45C06 from hkp server keys.gnupg.net
gpg: key C3C45C06: public key "Jakub Jelinek jakub#redhat.com" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
If the command error's out with a timeout, you may be behind a firewall that is blocking the default gpg port. Try using the `--keyserver' option with port 80 (almost all firewalls allow port 80 b/c of web browsing):
$ gpg --keyserver hkp://${HOSTNAME}:80 --recv-keys ${KEY_ID}
verify signature:
$ gpg gcc-4.7.2.tar.gz.sig
gpg: Signature made Čt 20. září 2012, 12:30:44 CEST using DSA key ID C3C45C06
gpg: Good signature from "Jakub Jelinek jakub#redhat.com" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29 3709 A328 C3A2 C3C4 5C06
The output should say "Good signature".
gpg: WARNING: This key is not certified with a trusted signature!
Is for another question ;)

This other avenue is particularly useful for verifying GNU projects (e.g. Octave) since the key requested by their signature may not be found in any key server.
From https://ftp.gnu.org/README
There are also .sig files, which contain detached GPG signatures of
the above files, automatically signed by the same script that
generates them.
You can verify the signatures for gnu project files with the keyring
file from:
https://ftp.gnu.org/gnu/gnu-keyring.gpg
In a directory with the keyring file, the source file to verify and
the signature file, the command to use is:
$ gpg --verify --keyring ./gnu-keyring.gpg foo.tar.xz.sig

You have to search the public keyservers for the given key id: in your case ID C3C45C06
Import the found key in your local keystore and after this the verification should be OK.
I use Ubuntu 12.04 and it comes with Seahorse key management software. Before the key import I was seeing this:
~/Downloads$ gpg --verify --keyring ./gnu-keyring.gpg icecat-31.5.0.en-US.linux-x86_64.tar.bz2.sig icecat-31.5.0.en-US.linux-x86_64.tar.bz2
gpg: Signature made 9.03.2015 (пн) 22,35,52 EET using RSA key ID D7E04784
gpg: Can't check signature: public key not found
After the key import I was seeing this:
~/Downloads$ gpg --verify --keyring ./gnu-keyring.gpg icecat-31.5.0.en-US.linux-x86_64.tar.bz2.sig icecat-31.5.0.en-US.linux-x86_64.tar.bz2
gpg: Signature made 9.03.2015 (пн) 22,35,52 EET using RSA key ID D7E04784
gpg: Good signature from "Ruben Rodriguez (GNU IceCat releases key) <ruben#gnu.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A573 69A8 BABC 2542 B5A0 368C 3C76 EED7 D7E0 4784

according to this http://gcc.gnu.org/mirrors.html that should be Jakub Jelinek and valid. i don't know where you would get his public key though.