LFCS · Question #405
LFCS Question #405: Real Exam Question with Answer & Explanation
The correct answer is A: gpg verify file.tgz.asc file.tgz. To verify a detached GPG signature (.asc) against its corresponding data file (.tgz), you can use gpg verify with both files, gpg verify with just the signature file (if named conventionally), or the gpgv utility with just the signature file.
Question
You have downloaded a file named file.tgz along with a signature file named file.tgz.asc. Which commands can be used to verify that file.tgz has not been tampered with since the file creator created the signature? Assume that you have already retrieved the public key of the file creator. (Select THREE correct answers)
Options
- Agpg verify file.tgz.asc file.tgz
- Bgpg verify file.tgz
- Cgpg verify file.tgz.asc
- Dgpgv verify file.tgz.asc
- Egpgv file.tgz.asc
Explanation
To verify a detached GPG signature (.asc) against its corresponding data file (.tgz), you can use gpg verify with both files, gpg verify with just the signature file (if named conventionally), or the gpgv utility with just the signature file.
Common mistakes.
- B.
gpg verify file.tgzis incorrect because it expects the file itself to contain an inline signature, not a detached one, and would not automatically search forfile.tgz.asc. - D.
gpgv verify file.tgz.ascis syntactically incorrect;gpgvitself implies verification, so theverifysubcommand is redundant and not part of thegpgvsyntax.
Concept tested. GPG detached signature verification
Reference. https://gnupg.org/documentation/manuals/gnupg/Verify-signatures.html
Topics
Community Discussion
No community discussion yet for this question.