noob question, How can I validate the download file signatures on a windows 10 pc?
Here's what I have done...
downloaded the following files from different mirrors:
OPNsense-19.7.pub
OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2
OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2.sig
and confirmed the OPNsense-19.7.pub content matched other mirrors and the forum webpage.
using Kleopatra\GpgEX I have tried to import the public key but consistently get a BER error. (see attachment)
I have tried renaming the OPNsense-19.7.pub with these extensions: asc,gpg,pem,der but import still fails.
The best directions I found online were these, https://www.gpg4win.org/doc/en/gpg4win-compendium_15.html
Which suggests the first step is importing the public key, I don't know, but I've already tried randomly clicking all the buttons in Kleopatra. ;)
Not sure what to try next, any help would be great.
Try to verify it using openssl on the command line. It is not a GPG signature (it is a public key only and not a certficate).
Thanks! Worked just like the 'Installation & Configuration' guide has it documented. I didn't realize Kleopatra added the OpenSSL command line exe. Here are the specific commands, maybe it will help someone else.
F:\download>openssl base64 -d -in OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2.sig -out OPNsense-19.7-tmp-image.sig
WARNING: can't open config file: /etc/ssl/openssl.cnf
F:\download>openssl dgst -sha256 -verify OPNsense-19.7.pub -signature OPNsense-19.7-tmp-image.sig OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2
WARNING: can't open config file: /etc/ssl/openssl.cnf
Verified OK