How do you use the .sig files provided for download alongside the archives?

silvanshade · ‎02-04-2024

I would have expected these to work with GPG as usual but this does not seem to be the case.

What I tried:

curl -JLO https://apt.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB

gpg --import GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB

gpg --verify sde-external-9.33.0-2024-01-07-lin.tar.xz.sig sde-external-9.33.0-2024-01-07-lin.tar.xz

This gives me the following error:

```

gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

```

Checking with `file sde-external-9.33.0-2024-01-07-lin.tar.xz.sig` gives:

```

sde-external-9.33.0-2024-01-07-lin.tar.xz.sig: DER Encoded PKCS#7 Signed Data

```

Does the .sig file need to be processed with OpenSSL or some other program? Can someone give a concrete example of how to verify the archives?

silvanshade · ‎02-05-2024

Thanks for the response.

I tried the command you specified (openssl cms -verify ...) but that gives a different error message:

```

CMS Verification failure
40F7367FEC7F0000:error:17000064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:../crypto/cms/cms_smime.c:289:Verify error: unsuitable certificate purpose

```