GPG 验证软件签名

1. 下载文件 electrum-4.1.2.exe.asc 和签名 electrum-4.1.2.exe.asc
2. 验证签名，提示No public key

$ gpg --verify electrum-4.1.2.exe.asc
gpg: Signature made Thu 08 Apr 2021 09:47:31 PM CST
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Can't check signature: No public key

3. 搜索 key，提示new key but contains no user ID - skipped

$ gpg --search-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: data source: https://keys.openpgp.org:443
(1)       4096 bit RSA key 2BD5824B7F9470E6, created: 2011-06-15
Keys 1-1 of 1 for "6694D8DE7BE8EE5631BED9502BD5824B7F9470E6".  Enter number(s), N)ext, or Q)uit > 1
gpg: key 2BD5824B7F9470E6: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

4. 换服务器，OK！

$ gpg --keyserver hkp://pgp.mit.edu --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) " imported
gpg: Total number processed: 1
gpg:               imported: 1

常用的公钥服务器有：

• keyserver.ubuntu.com
• keys.gnupg.net
• hkp://subkeys.pgp.net
• hkp://pgp.mit.edu

5. 重新验证，Good signature

$ gpg --verify electrum-4.1.2.exe.asc
gpg: assuming signed data in 'electrum-4.1.2.exe'
gpg: Signature made Thu 08 Apr 2021 09:47:31 PM CST
gpg:                using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg:                 aka "ThomasV " [unknown]
gpg:                 aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

6. 查看已下载公钥

$ gpg -k
/home/mx/.gnupg/pubring.kbx
---------------------------
pub   rsa4096 2011-06-15 [SC]
      6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
uid           [ unknown] Thomas Voegtlin (https://electrum.org) 
uid           [ unknown] ThomasV 
uid           [ unknown] Thomas Voegtlin 
sub   rsa4096 2011-06-15 [E]