gpg: can't open `libsodium-0.4.5.tar.gz.sig'

[ghost]

Hey, I hope it's ok to post issues of non-developers here.

I've used this script before and it worked perfectly, now it stops short before it installs anything due to an error as follows:

Importing key with ID: 1CDEA439
gpg: requesting key 1CDEA439 from hkp server keys.gnupg.net
gpg: key 1CDEA439: "Jedi/Sector One <j@pureftpd.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (35) Unknown SSL      protocol error in connection to download.libsodium.org:443 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (35) Unknown SSL     protocol error in connection to download.libsodium.org:443 
Verifying signature of: libsodium-0.4.5.tar.gz
gpg: can't open `libsodium-0.4.5.tar.gz.sig'
gpg: verify signatures failed: file open error
Error verifying signature

How do I fix it?

I did Google the problem and couldn't find a solution. I'm sorry if this isn't supposed to be posted here.

Thank you for your efforts writing this, and dedicating your time for random people!

Notes: OS: Kali Linux (this script has worked before). When I failed, I reinstalled the entire OS thinking it was some tinkering I did yesterday on the root folder and system files, so I just tried again after clean install and still failed. I see it's something about the GPG signature.

[AladW]

Hi,

This seems to be a known issue with the libsodium servers, sometimes they just fail. Best bet is probably to change to github

[AladW]

Please try #23

[ghost]

Thanks for your time, tried it but still couldn't install; (almost) same error:

Verifying signature of: libsodium-0.6.1.tar.gz
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
Error verifying signature

[AladW]

Strange when this worked before. I'll report back when I get to a Debian system

[AladW]

Works in Ubuntu 14.04 (gpg 1.4.16-1ubuntu2.1) - will try Kali

[AladW]

I'm afraid I can't reproduce it in Kali either... I did get an ioctl error, but I think that was due to live boot

[ghost]

I've just made another clean install, I'll try again.

[ghost]

For anyone facing the same problem: I'll be reinstalling a 32bit version, try again, and report back. It worked before on the 32bit, it never did on 64bit. I'll see if that is the problem.

[ghost]

IT WORKED! Thank God, at last!

Anyway, the problem wasn't on the architecture (was a last resort idea anyway), it was in the actual download of libsodium, the script directs it to download from https://download.libsodium.org/libsodium/releases (SSL) and this is where the error occurs, so I changed the download the source link to the unencrypted http:// and it worked fine.

I don't think this will affect the security of the transmission of the file, doesn't it? Since it's being verified by the GPG key anyway! One thing to point out is that the script says "there's nothing to indicate that this is a trusted key made the owner" or something to that effect, but lists the signature name as: "key 1CDEA439: "Jedi/Sector One j@pureftpd.org"

Is security a concern here (I'm seeing several "bugs" in security lately and it's getting a bit worrisome).

UPDATE: It's seems suspicious!

I can access the secure https through TOR, but not through my regular IP.

Is my installation using the above method still safe?

[simonclausen]

I have just committed AladW's updates to the download URLs - redownloading the script should get you around the issues you have been seeing.

[ghost]

Thank you all :)