Intel® ISA Extensions
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.
1127 Discussions

How do you use the .sig files provided for download alongside the archives?

silvanshade
Beginner
1,708 Views

How do you use the .sig files provided for download alongside the archives?

 

I would have expected these to work with GPG as usual but this does not seem to be the case.

 

What I tried:

 

curl -JLO https://apt.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB

gpg --import GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB

gpg --verify sde-external-9.33.0-2024-01-07-lin.tar.xz.sig sde-external-9.33.0-2024-01-07-lin.tar.xz

 

This gives me the following error:

```

gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

```

 

Checking with `file sde-external-9.33.0-2024-01-07-lin.tar.xz.sig` gives:

```

sde-external-9.33.0-2024-01-07-lin.tar.xz.sig: DER Encoded PKCS#7 Signed Data

```

 

Does the .sig file need to be processed with OpenSSL or some other program? Can someone give a concrete example of how to verify the archives?

0 Kudos
1 Reply
silvanshade
Beginner
1,657 Views

Thanks for the response.

 

I tried the command you specified (openssl cms -verify ...) but that gives a different error message:

```

CMS Verification failure
40F7367FEC7F0000:error:17000064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:../crypto/cms/cms_smime.c:289:Verify error: unsuitable certificate purpose

```

 

0 Kudos
Reply