Now I want to verify at least one developer's signature. I have kleopatra.exe ready and I can either search a keyserver or I can import a file.
For noobs the github page is "overload" and there are no steps or explanations.
What's you OS? I assume Windows since you mentioned that in your other thread.
At any rate, for manual import; go to Bitcoin-Core's repo for the builder keys, here:
https://github.com/bitcoin-core/guix.sigs/tree/main/builder-keysDownload your selected developer's gpg key (
Click a 'name.gpg' file->'download raw file' icon), it will be saved as "
name.gpg".
To import:
- Open Kleopatra and double-click the GPG file that you've downloaded and it will be imported automatically.
- Go to Kleoparta's "Certificates" list, right-click on the just-imported key (actual name may be different from the file name), then select "Certify...".
- In the 'Certify Certificate' window, click "Certify" once you fully checked if the information in the certificate are true.
Then to verify: double-click "
SHA256SUMS.asc" to automatically verify "
SHA256SUMS" file.
With Kleopatra, it should work automatically if both files are in the same directory/folder and having the same file name.
Note: if "
.asc" and "
.gpg" files aren't associated with Kleopatra, double-click wont do anything until you select Kleopatra.
If so, tick "
Always use this app to open .asc files" once you select "
Kleopatra" as the associated app.
The raw files I tried all return errors, so I think I've not selected the proper files . . .
Please specify the errors.
I need either a server address URL that I can copy/paste into Kleopatra
If "
hkps://keys.openpgp.org" doesn't work for you (
like with some Windows users), use "
hkps://keyserver.ubuntu.com".
Thanks for the work you put in for such discrete details. Sorry if I have should have edited some of your lengthy quoted material above.
I had some success with your directions and some problems. I'll write the steps that I think I performed correctly, then indicate where I had problems:
OS: Win11Pro
a. manual import dev. key < your link < raw file icon < download to Desktop as davidgumberg.gpg =
OKb. rt. click, Open Kleo., appears as new certificate < certified with my newly created key =
OKNow I need to verify. First, I want to make sure we are talking about the right SHA256SUMS.asc file as there are two. I'm assuming we're talking about the hash signatures file and not the binary hash file, right? Yes, that must be correct, as we are verifying a signature. It's the file with an icon of a blue open lock.
When I right click on that and Open with Kleo. I get from Kleo a window that says that SHA256SUMS has been verified with SHA256SUMS.asc and then I get a list of 10 signatures that could not be verified and the ability to import each of them from the key.
But what happened to davidgumberg.gpg that I'm trying to verify? It seems like I'm dealing with apples and oranges and here I'm stuck.