Bisq: gpg: BAD signature from "Manfred Karrer <[email protected]>"

Created on 22 Sep 2016 · 12Comments · Source: bisq-network/bisq

I am trying to verify the signature that is in the file "signed_sha256_hashes.txt" but it keeps throwing that error:
Firstly, can you tell me why its throwing this error and secondly why the signature file is not in a separate file such as "Bitsquare-64bit-0.4.9.6.deb.sig" ?
I even did that and then ran:
gpg --verify Bitsquare-64bit-0.4.9.6.deb.sig Bitsquare-64bit-0.4.9.6.deb

and still throws that error.

Please help?

Source

ghost

Most helpful comment

@jonathancross thank you man! makes sense

ghost on 5 Jul 2017

👍2

All 12 comments

I am on vacations with bad internet so I cannot download the binary to check but with my local files the hash and sig is correct. The online sig hash file I could check though.

For verifying the signed_sha256_hashes.txt use:
gpg --digest-algo SHA256 --verify signed_sha256_hashes.txt

To check the hash use (SHA256 on OSX, on linux i think its another command):
shasum -a 256 Bitsquare-64bit-0.4.9.6.deb

Then check if the hash is the same as in the signed_sha256_hashes.txt.

I used the same way how Bitcoin Core adds all hashes in one signed file, though some have complained about that already... Will consider single signed files in future...

If you find out that the online files do not match, please ping me and re-open!!!

ManfredKarrer on 23 Sep 2016

The hash is the same when i check it, its only the signature that would be nice to be single signed, would appreciate if you did that. thanks

ghost on 25 Sep 2016

will consider for the next release.

ManfredKarrer on 26 Sep 2016

Will be changed for next release

ManfredKarrer on 5 Oct 2016

@ManfredKarrer I dont see a file available for download with hashes of all the files any longer, any idea why?

ghost on 30 Jun 2017

the *.asc is the file to use. there is not collected file anymore as many did not like that approach.

ManfredKarrer on 30 Jun 2017

Hi yes agreed that it should be separate, however im asking about a separate hash that you generate for each file. Arent we gonna use hashes to validate? only signature?

ghost on 30 Jun 2017

the gpg sig check uses hashing internally

ManfredKarrer on 30 Jun 2017

just a quick question:
you mention in new release 0.5.1:

How to verify signatures?
$ gpg --digest-algo SHA256 --verify BINARY{.asc*,}
Replace BINARY with the file you downloaded (e.g. Bisq-0.5.1.dmg)

Doing:
gpg --digest-algo SHA256 --verify Bisq-0.5.1.dmg.asc
and
gpg --digest-algo SHA256 --verify Bisq-0.5.1.dmg{.asc*,}

gives the same result: good sig..etc. However my question is, is it the same command? does it do the same thing? sorry for asking a noob question. i just didnt understand {.asc*,}

ghost on 1 Jul 2017

Im also not sure that --digest-algo SHA256 makes a difference, since:
gpg --verify Bisq-0.5.1.dmg.asc yields the same result. isnt it?

ghost on 1 Jul 2017

Hi @2SI3NX – As long as the result says the signature is good and you are using the correct key, then you should be fine.

More about the commands & confusion:

gpg --digest-algo SHA256 --verify Bisq-0.5.1.dmg{.asc*,}

Will be expanded by bash into:

gpg --digest-algo SHA256 --verify Bisq-0.5.1.dmg.asc Bisq-0.5.1.dmg

Modern versions of gpg will assume that Bisq-0.5.1.dmg.asc is a signature file for Bisq-0.5.1.dmg which is why the {.asc*,} part is optional in your case.

The --digest-algo SHA256 shouldn't be needed as this seems to be an argument for creating messages rather than verifying them. I am not 100% sure of that, so I asked on StackExchange.