For Cybersecurity Newbies: How do I download the .asc file to verify a detached signature with Kleopatra
I am new in the world of cybersecurity, and I am attempting to install Nmap and Zenmap. Before I open the executable file to install Nmap, I want to verify the detached PGP signature through Kleopatra. However, I am unsure as to how to download the Public Key in order to do this. The Nmap Sigs page has files listed, but when I open them in Firefox, instead of downloading the file, the information opens in a new window.
Should I be copying-and-pasting the Signature data to a file on my device and then making that the signature file? If so, do I have to specially-format the file, or can I copy-and-paste into Notepad and then use Kleopatra to make that the signature?
Solution 1:
Assuming it's ASCII-armored (begins with -----BEGIN PGP SIGNED MESSAGE-----, etc):
Copy the entire message, starting with that line and ending with -----END PGP SIGNATURE----- (including both those lines themselves).
In Kleopatra, click the 'Notepad' button.
Paste the message into the text box.
Click 'Decrypt / Verify Notepad'.
If you don't already have the signer's public key in your keyring, you will be told "The data could not be verified" along with some gobbeldygook, and on the right will be a button offering to import/search for the key. Click 'Import' if you have the key in a file somewhere; or 'Search' to try and find it from a public keyserver.
Once you do have the signer's public key, you will probably still be told "The data could not be verified". This is not because the signature is bad (otherwise it would say "Invalid signature")! The signature is (presumably) valid in that it really was made with this key. It's just that, as far as GnuPG knows, there is no reason to believe the owner information on the key is accurate! Anyone can create a key with whatever name they like attached to it, so it's up to you to verify the real owner. (Generally this means verifying their key fingerprint with them through some more-trusted channel, such as in person or over the phone.)
Click the hyperlinked name/email/keyid in the output box, to open a window with more details. If you feel sufficiently assured that the key is authentic, go ahead and click Certify and follow the instructions. (My practice here is to "Certify only for myself" if I'm just making a judgment call to accept it, "Certify for everyone to see" if I've personally verified the accuracy of all the ID information).
Once you have certified the key, verifying the signature should give you a pleasant green box saying "Valid signature by [so-and-so]".
--SunAvatar on Reddit