virtualbox.org

Hello,

I am unable to do the gpg-checks for vbox files.

I have downloaded oracle_vbox.asc from http://download.virtualbox.org/virtualbox.

Besides: This site is unencrypted and trying by https://…. → „secure negotiation is not supported“.
Not a real good solution..

After importing the key I ran
gpg –verify oracle_vbox.asc SHA256SUMS
to check the SHA256SUMS file file is signed correctly and then to do the next step by
shasum -a 256 VirtualBox-5.2.0-118431-OSX.dmg.

The last command worked and the output is correct, but the first command got an „unexpected error“.

Maybe I did an adequate use of the commands?

But in which gpg --verify/ --fingerprint commands I can get the confirmation that the downloaded vbox files are correctly signed by a valubale key of Oracle?

Thanks for reply and further advice.

ergo

You may find the answer your exactly same question, from a year ago, helpful: viewtopic.php?f=1&t=77309

Thanks for reply .

Unfortunately the link doesn't hit my problem.
I understand that checksums are not a security feature but for accidental download corruptions only.
And as I told there is no problem with running the checksum command here.

But my question is how I can check the oracle certificates and fingerprints.
Running gpg --fingerprint info@virtualbox.org after import of oracle_vbox.asc the key and ID is displayed, but now how to check the embedded certificates in the downloaded files with this and ensure that they are correctly signed by oracle?

Thank you for hints.