Posted by Michael Weber on May 10, 2023; 9:58pm
URL: https://forum.jogamp.org/Digital-signatures-for-native-libraries-tp4042391p4042587.html

Thank you. I could verify using the asc file you provided, but the asc file obtained from the key server did not work.

I did the following. First, with no key imported yet, from git bash shell (on windows):

gpg --verify sha512sum.txt.sig sha512sum.txt

This reports "using RSA key C8CBB09E831BD6BA1F1EEADD845EBB9EA1F57735" and, as expected "Can't check signature: No public key"

I look up C8CBB09E831BD6BA1F1EEADD845EBB9EA1F57735 at hkps://keys.openpgp.org and download 4503DD006E3D7A269E57E10E8B9B030F8ED60127.asc.

Import using "gpg --import 4503DD006E3D7A269E57E10E8B9B030F8ED60127.asc", but gpg reports "8B9B030F8ED60127: no user ID", "gpg --list-keys" does not show a new entry, and gpg verify fails.

Similary, running gpg --recv-keys as follow:
gpg --keyserver hkps://keys.openpgp.org --recv-keys C8CBB09E831BD6BA1F1EEADD845EBB9EA1F57735
also gives the "8B9B030F8ED60127: no user ID" message.

I'm not a gpg expert so perhaps I'm doing it wrong. But importing sgothel-gpg-0x8ED60127.asc and then verifying worked fine.