I have downloaded the trisquel_7.0_amd64.iso from the trisquel.info web-site on a desktop with Windows10.
How can I verify the GPG signature using the gpg4win / Kleopatra. If not, are there any other tools to verify the GPG signature on Windows10.
The first thing you’ll want to do is to import the trisquel signing key. The website gives the key ID B4EFB9F38D8AEBF1. This key is available from the MIT server here: http://pgp.mit.edu/pks/lookup?op=get&search=0xB4EFB9F38D8AEBF1
Next, you’ll need to download the PGP signature for the version you downloaded. To do this, go to the trisquel download page, select the version you downloaded and click “Download ISO”. If you’ve already downloaded the iso, just hit cancel in the download dialogue box. The website will have taken you to a page with links to the signature file for the iso. Click the link marked “GPG”. Copy all of the text and paste it into a text editor such as notepad. Save the note in the same location as the iso. It is best to save the file with a name that matches the iso file name with the extension “.sig”. E.g. “trisquel_7.0_amd64.iso.sig”.
Open Kleopatra and click the “File” menu. Select “Decrypt/Verify Files”. Navigate to the directory in which you saved the iso and signature file. Select the signature file and click “Open”. If you saved the signature with the suggested name, Kleopatra will automatically recognize it as a signature and will select the iso as the “signed data”. If you saved the signature with a different name, you may have to check the “Input file is a detached signature” box and select the signed data manually.
Finally, click the “Decrypt/Verify” button. The process may take a while if the signed data is large (i.e. the 1.5 GB version). Kleopatra should eventually return a message confirming whether or not the signature matches the signed data. And that’s it!
**See Note 2
*Note 1: Since the key ID is given by the same web page from which the iso itself is downloaded, there is the possibility that if the website was hacked/spoofed, a fraudulent key ID could be given which would result in a good signature for a potentially malicious file. You must decide for yourself how much you trust that this is a genuine key. Checking signatures and cross-checking the key ID from other sources can increase confidence, but the only way to be 100% sure is to get the key directly from the owner.
**Note 2: You may have to certify the trisquel key and change the trust level before Kleopatra will give you a complete “good signature” message. If you don’t, you may get a message that says something like “Not enough information to verify signature.” But, in this case, you can still click “Show Details” to see the ID of the key that signed the iso.
Feel free to ask for clarification on any of the above.
Appreciate your reply. I will check if this works.