EvotecIT / PSPGP

PSPGP is a PowerShell module that provides PGP functionality in PowerShell. It allows encrypting and decrypting files/folders and strings using PGP.
MIT License
59 stars 22 forks source link

Verifying Python installer's GPG signature #9

Closed martroben closed 1 month ago

martroben commented 2 years ago

I'm trying to use PSPGP to verify the signature of the Python installer, but I'm getting the following error:

Test-PGP -FilePathPublic $python_installer_win_public_key_path -FilePath $python_installer_pgp_signature_path WARNING: Test-PGP - Can't test file C:\Temp\python_test\python-3.10.5-amd64.exe.asc: Exception calling "VerifyFile" with "1" argument(s): "Object reference not set to an instance of an object."

It could be unrelated to PSPGP and due to something silly that I'm doing, since PS is not my native tongue - but I haven't been able to figure it out.


Here's the code that produces the error:

Set-PSRepository PSGallery -InstallationPolicy Trusted
Install-Module -Name PSPGP

$download_directory = "C:\Temp\python_test"
$python_installer_url = "https://www.python.org/ftp/python/3.10.5/python-3.10.5-amd64.exe"
$python_installer_pgp_signature_url = "https://www.python.org/ftp/python/3.10.5/python-3.10.5-amd64.exe.asc"
$python_installer_win_public_key_url = "https://keybase.io/stevedower/pgp_keys.asc?fingerprint=7ed10b6531d7c8e1bc296021fc624643487034e5"

$python_installer_path = $download_directory + "\" + [System.IO.Path]::GetFileName($python_installer_url)
$python_installer_pgp_signature_path = $download_directory + "\" + [System.IO.Path]::GetFileName($python_installer_pgp_signature_url)
$python_installer_win_public_key_path = $download_directory + "\" + "python_pgp_public_key.asc"

If(!(test-path -PathType container $download_directory)) {
    New-Item -ItemType Directory -Path $download_directory | Out-Null
}

Invoke-WebRequest $python_installer_url -OutFile $python_installer_path
Invoke-WebRequest $python_installer_pgp_signature_url -OutFile $python_installer_pgp_signature_path
Invoke-WebRequest $python_installer_win_public_key_url -OutFile $python_installer_win_public_key_path

Test-PGP -FilePathPublic $python_installer_win_public_key_path -FilePath $python_installer_pgp_signature_path

I can get the desired result by gpg.exe, but I'd prefer not having to include a separate step to install GPG4Win in order to verify the signature.

image


Maybe the problem is that I'm trying to verify a detached signature (as described here) - and I'm not sure if PSPGP has the capabilities to handle these?

Anyway, do you have any suggestions for me? :)

PrzemyslawKlys commented 1 month ago

Can you try newest version?

martroben commented 1 month ago

@PrzemyslawKlys, thank you for reaching out. However, since the use case is no longer relevant to me, I'm not going to be able to verify whether the problem is fixed in the newest version or not.