though I have tried to follow different resources and instructions on this, and tried it many times, I am still unable to verify the signature (on Windows). I have signed their public key (just “Sign”), which created an asc.sig file. The key is from keys.openpgp.org found by the fingerprint 5069A233D55A0EEB174A5FC3821ACD02680D16DE. Now I am seeing this:
Verified ‘C:\Users\...\Desktop\verify trash\VeraCrypt Setup 1.26.24.exe.sig’ with ‘C:\Users\...\Desktop\verify trash\veracryptopenpgp.asc.sig’:
Invalid signature.
With certificate:
[....]
(key:...)
The signature is invalid: Bad signature
I have also tried some Powershell commands I found, they did not work either.
I do not quite believe something is wrong with the file, probably it is some mistake on my side again, but at this point I cannot figure it out and am approaching a time pressure state.
I apologize if this is too basic, feel free to delete this post if needed.
Could it be that the executable and its signature are not in the same directory? The shown path looks strange.
The output should be:
Verified ‘VeraCrypt Setup 1.26.24.exe’ with ‘VeraCrypt Setup 1.26.24.exe.sig’: The data could not be verified.
Signature created on Thursday, 29 May 2025 15:43:40 CEST
With certificate:
VeraCrypt Team <veracrypt@amcrypto.jp> (821A CD02 680D 16DE)
The used key is not certified by you or any trusted person.
That is likely to be the wrong signature, you would want to “certify” their public key as “trusted”, after you have checked that it is the public key which belongs to the organisation you want to trust.
In Kleopatra you select the public key in question and use either the context menu (with right mouse click) and “Certify” or you open up the details view of the pubkey and use “Certify User IDs” from there.
Verified ‘C:\Users\...\Desktop\verify2\VeraCrypt Setup 1.26.24.exe’ with ‘C:\Users\...\Desktop\verify2\VeraCrypt Setup 1.26.24.exe.sig’:
Valid signature by veracrypt@amcrypto.jp
(key:5069A233D55A0EEB174A5FC3821ACD02680D16DE)
Signature created on 29 May 2025 15:43:40
With certificate:
VeraCrypt Team < veracrypt@amcrypto.jp> (821A CD02 680D 16DE)](key:5069A233D55A0EEB174A5FC3821ACD02680D16DE)
The signature is valid and the certificate's validity is fully trusted.
I thought that I should verify if their public key matches the signature in the exe.sig file, according to this https://stackoverflow.com/questions/69892035/cannot-verify-pgp-signature-for-veracrypt-executable.
But as I was trying it seems that actually only the executable and exe.sig are needed in the same directory, and it works without the key. Does trusting the certificate mean/stand for importing the separate public key file, and I just trust after I check that the fingerprint matches?
But yes, I have got it now that the decrypt/verify action was like only the second gpg command.
Perhaps it helps someone else.