https://community.intel.com/t5/Intel-ISA-Extensions/How-do-you-use-the-sig-files-provided-for-download-alongside-the/m-p/1569029#M7038 <P>How do you use the .sig files provided for download alongside the archives?</P><P>&nbsp;</P><P>I would have expected these to work with GPG as usual but this does not seem to be the case.</P><P>&nbsp;</P><P>What I tried:</P><P>&nbsp;</P><P>curl -JLO <A href="https://apt.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB" target="_blank">https://apt.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB</A></P><P>gpg --import GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB</P><P>gpg --verify sde-external-9.33.0-2024-01-07-lin.tar.xz.sig sde-external-9.33.0-2024-01-07-lin.tar.xz</P><P>&nbsp;</P><P>This gives me the following error:</P><P>```</P><P>gpg: no valid OpenPGP data found.<BR />gpg: the signature could not be verified.<BR />Please remember that the signature file (.sig or .asc)<BR />should be the first file given on the command line.</P><P>```</P><P>&nbsp;</P><P>Checking with `file sde-external-9.33.0-2024-01-07-lin.tar.xz.sig` gives:</P><P>```</P><P>sde-external-9.33.0-2024-01-07-lin.tar.xz.sig: DER Encoded PKCS#7 Signed Data</P><P>```</P><P>&nbsp;</P><P>Does the .sig file need to be processed with OpenSSL or some other program? Can someone give a concrete example of how to verify the archives?</P> Sun, 04 Feb 2024 15:52:15 GMT silvanshade 2024-02-04T15:52:15Z https://community.intel.com/t5/Intel-ISA-Extensions/How-do-you-use-the-sig-files-provided-for-download-alongside-the/m-p/1569029#M7038 <P>How do you use the .sig files provided for download alongside the archives?</P><P>&nbsp;</P><P>I would have expected these to work with GPG as usual but this does not seem to be the case.</P><P>&nbsp;</P><P>What I tried:</P><P>&nbsp;</P><P>curl -JLO <A href="https://apt.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB" target="_blank">https://apt.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB</A></P><P>gpg --import GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB</P><P>gpg --verify sde-external-9.33.0-2024-01-07-lin.tar.xz.sig sde-external-9.33.0-2024-01-07-lin.tar.xz</P><P>&nbsp;</P><P>This gives me the following error:</P><P>```</P><P>gpg: no valid OpenPGP data found.<BR />gpg: the signature could not be verified.<BR />Please remember that the signature file (.sig or .asc)<BR />should be the first file given on the command line.</P><P>```</P><P>&nbsp;</P><P>Checking with `file sde-external-9.33.0-2024-01-07-lin.tar.xz.sig` gives:</P><P>```</P><P>sde-external-9.33.0-2024-01-07-lin.tar.xz.sig: DER Encoded PKCS#7 Signed Data</P><P>```</P><P>&nbsp;</P><P>Does the .sig file need to be processed with OpenSSL or some other program? Can someone give a concrete example of how to verify the archives?</P> Sun, 04 Feb 2024 15:52:15 GMT https://community.intel.com/t5/Intel-ISA-Extensions/How-do-you-use-the-sig-files-provided-for-download-alongside-the/m-p/1569029#M7038 silvanshade 2024-02-04T15:52:15Z https://community.intel.com/t5/Intel-ISA-Extensions/How-do-you-use-the-sig-files-provided-for-download-alongside-the/m-p/1569376#M7040 <P>Thanks for the response.</P><P>&nbsp;</P><P>I tried the command you specified (openssl cms -verify ...) but that gives a different error message:</P><P>```</P><P>CMS Verification failure<BR />40F7367FEC7F0000:error:17000064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:../crypto/cms/cms_smime.c:289:Verify error: unsuitable certificate purpose</P><P>```</P><P>&nbsp;</P> Mon, 05 Feb 2024 15:50:15 GMT https://community.intel.com/t5/Intel-ISA-Extensions/How-do-you-use-the-sig-files-provided-for-download-alongside-the/m-p/1569376#M7040 silvanshade 2024-02-05T15:50:15Z