Can't Verify "PGP SIGNED MESSAGE" in Linux
gpg ver. 2.1.18; Debian Stretch
Public key duly imported from https://cygwin.com/key/pubring.asc
I downloaded a pair of cygwin installation files from https://cygwin.com/install.html and they passed the verify test:
i.e. gpg --verify setup-x86_64.exe.sig setup-x86_64.exe yielded nothing untoward...
I was happy at that point and should have stopped there. However, I noticed on said Installing and Updating Cygwin Packages page, in the Signing key transition section, a link to a message in the Cygwin-announce mailing list (https://sourceware.org/pipermail/cygwin-announce/2020-March/009447.html).
Well, try as I might, I could not verify said message in what I thought was the normal fashion - i.e. I saved said message to a text file (cygwin.asc), starting with the -----BEGIN PGP SIGNED MESSAGE----- line and ending with the -----END PGP PUBLIC KEY BLOCK----- line, and ran
gpg --verify cygwin.asc
Which resulted in:
gpg: Signature made Fri 13 Mar 2020 09:44:49 AM MDT
gpg: using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: Good signature from "Cygwin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
gpg: Signature made Fri 13 Mar 2020 09:44:49 AM MDT
gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5640 5CF6 FCC8 1574 682A 5D56 1A69 8DE9 E2E5 6300
gpg: verify signatures failed: Unexpected error
The only way I could eliminate said
gpg: verify signatures failed: Unexpected error
squawk was to, in said cygwin.asc file, truncate the public key section of the message (thus creating the cygwin-no-pubkey.asc file).
Then:
$ gpg --verify cygwin-no-pubkey.asc
gpg: Signature made Fri 13 Mar 2020 09:44:49 AM MDT
gpg: using DSA key 1169DF9F22734F743AA59232A9A262FF676041BA
gpg: Good signature from "Cygwin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
gpg: Signature made Fri 13 Mar 2020 09:44:49 AM MDT
gpg: using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5640 5CF6 FCC8 1574 682A 5D56 1A69 8DE9 E2E5 6300
which looked copasetic to me!
What is going on here? Why did I have to remove the public key block from the subject message in order to achieve goodness? I looked for hours, including here with no joy!:
The final line stating gpg: verify signatures failed: Unexpected error results when gpg --verify encounters non-signature OpenPGP data (the public key block), but this does not negate the previous output showing the signatures were successfully verified.
This is expected behavior. Cygwin could have included in their instructions (which says to save both the clearsigned text and public key block in the same file) a statement alerting users to this.