Hello,
I am unable to do the gpg-checks for vbox files.
I have downloaded oracle_vbox.asc from http://download.virtualbox.org/virtualbox.
Besides: This site is unencrypted and trying by https://…. → „secure negotiation is not supported“.
Not a real good solution..
After importing the key I ran
gpg –verify oracle_vbox.asc SHA256SUMS
to check the SHA256SUMS file file is signed correctly and then to do the next step by
shasum -a 256 VirtualBox-5.2.0-118431-OSX.dmg.
The last command worked and the output is correct, but the first command got an „unexpected error“.
Maybe I did an adequate use of the commands?
But in which gpg --verify/ --fingerprint commands I can get the confirmation that the downloaded vbox files are correctly signed by a valubale key of Oracle?
Thanks for reply and further advice.
ergo
How to fingerprint and verify downloaded Vbox Files
-
socratis
- Site Moderator
- Posts: 27329
- Joined: 22. Oct 2010, 11:03
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Win(*>98), Linux*, OSX>10.5
- Location: Greece
Re: How to fingerprint and verify downloaded Vbox Files
You may find the answer your exactly same question, from a year ago, helpful: viewtopic.php?f=1&t=77309
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Re: How to fingerprint and verify downloaded Vbox Files
Thanks for reply .
Unfortunately the link doesn't hit my problem.
I understand that checksums are not a security feature but for accidental download corruptions only.
And as I told there is no problem with running the checksum command here.
But my question is how I can check the oracle certificates and fingerprints.
Running gpg --fingerprint info@virtualbox.org after import of oracle_vbox.asc the key and ID is displayed, but now how to check the embedded certificates in the downloaded files with this and ensure that they are correctly signed by oracle?
Thank you for hints.
Unfortunately the link doesn't hit my problem.
I understand that checksums are not a security feature but for accidental download corruptions only.
And as I told there is no problem with running the checksum command here.
But my question is how I can check the oracle certificates and fingerprints.
Running gpg --fingerprint info@virtualbox.org after import of oracle_vbox.asc the key and ID is displayed, but now how to check the embedded certificates in the downloaded files with this and ensure that they are correctly signed by oracle?
Thank you for hints.