I'm trying to install AviSynth+ from yuuki-deb.x86.men.

$ cat /etc/apt/sources.list.d/yuuki-deb.sources
Types: deb
URIs: http://yuuki-deb.x86.men/ 
Suites: bullseye
Components: main
Signed-By: /usr/share/keyrings/yuuki-deb.gpg
Enabled: yes

$ ls -l /usr/share/keyrings/yuuki-deb.gpg
-rw-r--r-- 1 root root 433 Sep  7 20:23 /usr/share/keyrings/yuuki-deb.gpg

$ gpg --show-keys /usr/share/keyrings/yuuki-deb.gpg
pub   ed25519 2020-03-03 [SCA]
      A9BBA31152359AE080A1DF851F331533ABCDEEA3
uid                      AviSynth+ Yuuki Debian Repository 

# apt update
-*- snip -*-
Err:4 http://yuuki-deb.x86.men  bullseye InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 1F331533ABCDEEA3
-*- snip -*-

It seems to be completely ignoring the Signed-By directive. How can I fix this?

I'm new to writing Linux modules (drivers) and digital signatures, so please correct me if any of my understanding is incorrect. When I run make modules_install on my module, I get the following error (veikk is the module name): At main.c:160: - SSL error:02001002:system library:fopen:No such file or directory: ../crypto/bio/bss_file.c:72 - SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/bss_file.c:79 sign-file: certs/signing_key.pem: No such file or directory I was looking up tutorials on signing modules, but I was very confused about how to distribute a signed module. There are tutorials for manually signing modules (e.g., this , this , this ), but these all seem to be post-installation and involve generating and registering a key with the kernel. It seems that the kernel wants to automatically sign the module on installation using certs/signing_key.pem (hence the error). Using the advice provided by this Unix Stack Exchange question , I was able to get rid of the error. This generates the x509.genkey file, and then creates the signing_key.pem and signing_key.x509 files in the certs directory in the kernel directory. printf "[ req ]\ndefault_bits = 4096\ndistinguished_name = req_distinguished_name\nprompt = no\nstring_mask = utf8only\nx509_extensions = myexts\n\n[ req_distinguished_name ]\nCN = Modules\n\n[ myexts ]\nbasicConstraints=critical,CA:FALSE\nkeyUsage=digitalSignature\nsubjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid" > x509.genkey openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out $(BUILD_DIR)/certs/signing_key.x509 -keyout $(BUILD_DIR)/certs/signing_key.pem After running this and make modules_install, the module seems to install correctly. The output of modinfo veikk seems to show a valid signature: filename: /lib/modules/5.1.5-arch1-2-ARCH/extra/veikk.ko.xz license: GPL srcversion: A82263B16A25C763382D8B9 alias: hid:b0003g*v00002FEBp00000003 alias: hid:b0003g*v00002FEBp00000002 alias: hid:b0003g*v00002FEBp00000001 depends: hid retpoline: Y name: veikk vermagic: 5.1.5-arch1-2-ARCH SMP preempt mod_unload sig_id: PKCS#7 signer: Modules sig_key: 27:E8:FC:4A:4E:15:0C:AF:40:D5:A1:A4:10:E5:B5:55:BF:AF:EB:66 sig_hashalgo: sha512 signature: AC:AF:49:16:D4:AD:D9:7B:C5:52:A5:9F:F8:46:1C:DF:93:71:05:00: 4D:BF:96:96:3C:D1:11:19:6F:AC:D5:27:7D:E3:EE:8D:6C:BB:17:F4: 53:D3:FD:EE:85:22:97:57:BB:27:23:9C:8A:04:79:75:99:C4:A0:E6: 29:AF:20:15:87:EA:41:D2:26:00:2B:A1:39:68:28:FE:05:F5:F1:B1: 42:F8:FF:66:C0:6C:B5:17:A1:E7:F4:65:0A:17:64:99:9E:11:86:C0: 94:E7:D5:83:59:50:BE:0D:33:B8:A2:64:66:4F:70:A3:EB:E4:FB:B4: 52:D9:26:9C:57:CC:0D:D6:53:51:C2:90:D6:51:13:83:B6:22:EC:C9: DF:15:1D:1E:34:BD:7A:2D:8F:13:2D:78:8C:D3:EA:43:0B:6C:8D:DA: 9A:DA:A1:74:03:FC:D8:72:D0:96:54:52:60:AB:7A:BB:3C:D0:F4:8C: B7:92:21:B1:D8:02:01:6B:9B:AD:11:1A:90:5B:21:94:12:B7:5A:15: 10:6B:92:FA:74:F5:49:A2:4A:65:FF:4E:B6:9B:08:7B:BD:E5:85:9D: 98:52:A2:E4:D7:B4:0D:90:0D:62:7E:CE:6B:F8:8B:0C:33:76:1E:01: C7:0D:29:8C:97:BC:E1:35:58:2B:55:3F:6E:D9:36:46:50:76:74:67: 1F:B2:F6:C3:6B:24:4D:C1:7E:8D:14:4D:10:2D:1D:80:3C:82:02:1C: A6:87:14:8B:A0:3C:21:EA:DD:A7:CD:9C:D0:1B:DF:84:53:BF:0A:B6: DA:50:C4:AA:FF:90:44:47:4B:9F:8A:1C:C3:14:5D:A3:B5:A4:5F:6F: E1:E0:E2:51:B1:1E:5C:7E:95:70:72:76:3A:9D:53:10:F5:F0:3F:CD: E5:2B:EF:E4:3D:DB:64:65:9B:AE:E6:23:6E:4E:F1:4B:94:17:FF:FF: 06:A0:79:84:E1:BE:24:9D:93:B9:D4:94:41:76:92:D5:5B:8F:F6:4F: 98:B9:24:6F:01:CD:4F:49:52:15:48:79:4A:F3:46:CF:8A:AC:21:A9: 64:81:AC:01:15:80:06:F4:C3:9D:8A:C0:48:A6:53:C5:81:C2:DD:B1: C6:B9:80:B8:A9:C2:89:B8:20:C5:89:81:90:15:86:78:F7:09:3F:FD: F6:AC:54:57:8C:E0:B4:62:E0:78:CB:59:63:FA:E6:E2:8C:78:59:31: 92:E5:B5:E3:75:FE:F6:8F:82:3B:D6:5B:B1:84:E9:A8:9E:A4:B0:03: 99:8D:41:55:FF:11:A8:B6:A3:B9:EA:1D:5C:58:F7:D2:A6:F4:3A:C9: B1:E6:83:10:B7:E5:E4:15:28:2C:62:96 My question: **Is this a recommended (and safe) way to sign a driver?** Preferably, I would like to have end users not have to worry about the hassle of signing the drivers themselves when installing. Because my understanding is a little muddy, here are a few questions I don't understand: - Is this automatic signing on build as secure as the tutorials above for manually signing a driver after installation? I.e., I'm generating a key to sign it with, but that key never (at least explicitly) is loaded into the kernel. - How are drivers normally distributed and signed? I would expect large companies with proprietary drivers for Linux to have their modules signed some way, such as Nvidia. - Is there a way to pre-sign a module (on my end)? This seems unlikely because the module should be built for any system it's to be used on. I would like to keep Secure Boot on (disabling it allows the unsigned module to load, but clients would prefer to have Secure Boot on).

I successfully managed to make use of digital signatures in LibreOffice Writer by following flatmtn.com/creating-pkcs12-certificates But now I want to use a digital certificate from an eToken/smart card and not from the Mozilla keystore directory. How can I achieve this?

When i use fdisk to create a new partition i get an error which says

Partition #3 contains a ext4 signature

Do you want to remove the signature? [Y]es/[N]o:

This error is not a problem but i am wondering why this error even comes up when the partition has not even been created with a filesystem. While creating a partition i only had two partitions which were #1 and #2, there was no third partition at all. So how is there already a signature of a ext4 filesystem on the partition?

I want to sign my nvidia driver so I can use it with Secure Boot. I'm trying to follow these instructions for nvidia driver: https://wiki.debian.org/SecureBoot#Using_your_key_to_sign_modules_.28Traditional_Way.29 I already have MOK keys. I've installed nvidia drivers with apt-get install nvidia-driver. Now I'm signing it. I can't find location of my nvidia module. ChatGPT has suggested something like that:

sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 /path/to/MOK.priv /path/to/MOK.der $(modinfo -n nvidia)

But I'm getting error (even with modinfo -n nvidia)

sudo /sbin/modinfo nvidia
modinfo: ERROR: Module nvidia not found

I've also tried it, but got no output:

sudo find /lib/modules/$(uname -r) -type f -name "nvidia.ko"

What should I do to find my nvidia driver? It should be there if I have installed a package, right?

Based on [this answer](https://unix.stackexchange.com/a/775900/384822) , I followed [this guide](https://earthly.dev/blog/creating-and-hosting-your-own-deb-packages-and-apt-repo/) to create a local apt repository. Now I an specifying that debootstrap use my repository with file:path/to/my/apt/repo. When debootstrap runs, I get this:

I: Target architecture can be executed
I: Retrieving InRelease 
I: Checking Release signature
E: Release signed by unknown key (key id ***REDACTED***)
   The specified keyring /files/raspberrypi.gpg may be incorrect or out of date.
   You can find the latest Debian release key at https://ftp-master.debian.org/keys.html 

For some background, I am using [pi-gen](https://github.com/RPi-Distro/pi-gen) to generate raspberry pi images. They provide a file called raspberrypi.gpg, which I believe is the keyring for raspbian.raspberrypi.com. However, I want to use my local apt repo instead of the public internet one. So I am replacing http://raspbian.raspberrypi.com/raspbian with file:path/to/my/apt/repo so that debootstrap will be able to pull packages from my local apt repo instead of pulling them from the internet. So essentially I think I need to create an equivalent my-apt-repo.gpg file, but all I have after following the above linked tutorial is the following: - Release, which I think is the header of my apt repo - Release.gpg, which I think is a signed version of Release - InRelease, which I think is a combination of Release and Release.gpg - my-pgp-key.private which is the private key I used to sign the Release file - my-pgp-key.public which is the public key corresponding to the private key So somehow from these I think I need to create my-apt-repo.gpg which should allow me to actually use the apt repo. But I do not know how to create this file.

After upgrading apt to version >= 2.9.19 SHA1 and RSA1024 signatures are rejected. There is a section in its changelog which says: >apt (2.9.19) unstable; urgency=medium > > * Replace GnuTLS and gcrypt with OpenSSL > * Replace GnuPG with Sequoia on supported Debian platforms > - methods: Add new sqv method > - debian: Add default policy to allow SHA-1 self-signatures until 2026 > - debian: Plug sqv into the package build So I thought this would enable a policy to accept SHA1 signatures, but perhaps I misunderstood.

Suppose I want to publish (or send to someone) a file. I also want the recipients of it to be able to verify that any further updates to it come from the same source/author as the original. The obvious solution is to ship the original file with a public key and a GPG signature of the file. Any subsequent updates will be signed too. However, the verifiers would have to *import* the public key into their local keyring. Isn't there a more flexible, less obtrusive approach? Maybe not GPG but something else? For example, something like this would be ideal:

toolname --verify --pub path/to/public.key --sig path/to/signature path/to/file-to-verify

Looks like GPG can do it but only in 3 peculiar steps:

gpg --no-default-keyring --keyring ./temp-keyring.gpg --import pub.key
gpg --no-default-keyring --keyring ./temp-keyring.gpg --verify signature.gpg path/to/file
rm ./temp-keyring.gpg

Related questions: one , two .

I have created multiple keys using gpg. Whenever I try to sign any file, gpg automatically uses the first one I have created. How to set default key for signing in gpg. I don't want to delete/revoke the other one yet. Otherwise, how can I change my default keys for signing?

On Solaris11 is possible to use certificates made with openssl, on Solaris 10 is different elfsign sign -c solaris10.crt -k solaris10.key -e libeel-2.so exit with error and state of exit is 4 (certificate not loaded) anyone know how to create a certificate in pkcs#10 format for this program? PEM trying I tryng a pem certificate...but give error. elfsign sign -c sol1.pem -k sol1.pem -e libeel-2.so elfsign: Unable to load certificate: sol1.pem Generating a pem with those commands works..but now don't load the key openssl req -config ssl/openssl.cnf -new -newkey rsa:4096 -nodes -keyout snakeoil.key -out snakeoil.csr -batch openssl x509 -req -sha256 -days 365 -in snakeoil.csr -signkey snakeoil.key -out snakeoil.pem elfsign sign -c snakeoil.pem -k snakeoil.key -e libeel-2.so elfsign: Unable to load private key: snakeoil.key

osslsigncode verify VirtualBox-7.1.0-164728-Win.exe: Functional. osslsigncode verify vc_redist.x64.exe: Broken. Why? How to fix? Full logs below. Debian 12. ---- Functional:

osslsigncode verify VirtualBox-7.1.0-164728-Win.exe

Current PE checksum   : 0698F8DE
Calculated PE checksum: 0698F8DE

Signature Index: 0  (Primary Signature)
Message digest algorithm  : SHA256
Current message digest    : 219D775E1F63FD2734FDB97D7EE67A17488B0E18B9A294114F7E17D8834B597F 
Calculated message digest : 219D775E1F63FD2734FDB97D7EE67A17488B0E18B9A294114F7E17D8834B597F 

Signer's certificate:
        Signer #0:
                Subject: /C=US/ST=California/L=Redwood City/O=Oracle America, Inc./CN=Oracle America, Inc.
                Issuer : /C=US/O=DigiCert, Inc./CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
                Serial : 060E2F8F9E1B8BE518D5FE2B69CFCCB1
                Certificate expiration date:
                        notBefore : Mar  9 00:00:00 2023 GMT
                        notAfter : Mar 11 23:59:59 2025 GMT

Number of certificates: 2
        Signer #0:
                Subject: /C=US/O=DigiCert, Inc./CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
                Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4
                Serial : 08AD40B260D29C4C9F5ECDA9BD93AED9
                Certificate expiration date:
                        notBefore : Apr 29 00:00:00 2021 GMT
                        notAfter : Apr 28 23:59:59 2036 GMT
        ------------------
        Signer #1:
                Subject: /C=US/ST=California/L=Redwood City/O=Oracle America, Inc./CN=Oracle America, Inc.
                Issuer : /C=US/O=DigiCert, Inc./CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
                Serial : 060E2F8F9E1B8BE518D5FE2B69CFCCB1
                Certificate expiration date:
                        notBefore : Mar  9 00:00:00 2023 GMT
                        notAfter : Mar 11 23:59:59 2025 GMT

Authenticated attributes:
        Message digest algorithm: SHA256
        Message digest: 780A2C240E94C6A520FBA4EBA7ADC02D5DB11B0F223CD3F202A4F11A56F73A7A 
        Signing time: N/A
        Microsoft Individual Code Signing purpose

The signature is timestamped: Sep  6 22:12:04 2024 GMT
Hash Algorithm: sha256
Timestamp Verified by:
                Issuer : /C=US/O=DigiCert, Inc./CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
                Serial : 0544AFF3949D0839A6BFDB3F5FE56116

CAfile: /etc/ssl/certs/ca-certificates.crt
TSA's certificates file: /etc/ssl/certs/ca-certificates.crt
CRL distribution point: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl 
TSA's CRL distribution point: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl 

Timestamp Server Signature verification: ok
Signature verification time: Sep  6 22:12:04 2024 GMT
Signature verification: ok

Number of verified signatures: 1
Succeeded

---- Broken:

osslsigncode verify vc_redist.x64.exe

Current PE checksum   : 0187CD76
Calculated PE checksum: 0187CD76

Signature Index: 0  (Primary Signature)
Message digest algorithm  : SHA256
Current message digest    : 870E96D39FD03180C74AE4BCC1C4B6203AF36AABDAC37210773C127F37393036 
Calculated message digest : 870E96D39FD03180C74AE4BCC1C4B6203AF36AABDAC37210773C127F37393036 

Signer's certificate:
        Signer #0:
                Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation
                Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2011
                Serial : 3300000403BDD5955D0F3B18AD000000000403
                Certificate expiration date:
                        notBefore : Sep 12 20:11:13 2024 GMT
                        notAfter : Sep 11 20:11:13 2025 GMT

Number of certificates: 2
        Signer #0:
                Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation
                Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2011
                Serial : 3300000403BDD5955D0F3B18AD000000000403
                Certificate expiration date:
                        notBefore : Sep 12 20:11:13 2024 GMT
                        notAfter : Sep 11 20:11:13 2025 GMT
        ------------------
        Signer #1:
                Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2011
                Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2011
                Serial : 610E90D2000000000003
                Certificate expiration date:
                        notBefore : Jul  8 20:59:09 2011 GMT
                        notAfter : Jul  8 21:09:09 2026 GMT

Authenticated attributes:
        Message digest algorithm: SHA256
        Message digest: C21A9171ECEC5F60ADFB1DDFF81B447D8B810D6A893F604E7C3D50849E3719DD 
        Signing time: N/A
        Microsoft Individual Code Signing purpose
        URL description: http://www.microsoft.com 
        Text description: Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.42.34433

The signature is timestamped: Oct 29 12:03:40 2024 GMT
Hash Algorithm: sha256
Timestamp Verified by:
                Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA 2010
                Serial : 33000001F91F678D75ABA4F1B10001000001F9

CAfile: /etc/ssl/certs/ca-certificates.crt
TSA's certificates file: /etc/ssl/certs/ca-certificates.crt
CRL distribution point: http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl 

CMS_verify error
4049E3FCAC7E0000:error:17000064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:../crypto/cms/cms_smime.c:289:Verify error: unable to get local issuer certificate
Timestamp Server Signature verification: failed

PKCS7_verify error
4049E3FCAC7E0000:error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:../crypto/pkcs7/pk7_smime.c:295:Verify error: unable to get local issuer certificate
Signature verification: failed

Number of verified signatures: 1
Failed
zsh: exit 1     osslsigncode verify vc_redist.x64.exe

I am having some issue verifying the Raspberry Pi image for the RPI 2B of Debian. **Steps followed:** Download Files:

wget https://raspi.debian.net/tested/20231109_raspi_2_bookworm.img.xz  && wget https://raspi.debian.net/tested/20231109_raspi_2_bookworm.img.xz.sha256  && wget https://raspi.debian.net/tested/20231109_raspi_1_bookworm.img.xz.sha256.asc 

user@computer:~/ISOs/DebianRPI2B$ gpg --keyserver keyring.debian.org --recv-keys 64E6EA7D 6294BE9B 09EA8AC3
gpg: key 42468F4009EA8AC3: "Debian Testing CDs Automatic Signing Key " not changed
gpg: key DA87E80D6294BE9B: "Debian CD signing key " not changed
gpg: key 988021A964E6EA7D: "Debian CD signing key " not changed
gpg: Total number processed: 3
gpg:              unchanged: 3
user@computer:~/ISOs/DebianRPI2B$ gpg --with-fingerprint --verify 20231109_raspi_1_bookworm.img.xz.sha256.asc
gpg: Signature made Fri 10 Nov 2023 12:09:57 PM MST
gpg:                using EDDSA key 4D14050653A402D73687049D2404C9546E145360
gpg: Can't check signature: No public key
user@computer:~/ISOs/DebianRPI2B$

Has Debian changed their GPG keys? Or am I making a mistake verifying them? Cryptography isn't my specialist and I sincerely apologize if any mistakes are being made on my end. Thank you so much for all of your time and energy. I immensely appreciate any support you can provide.

How can I fix the error in the terminal on Arch Linux below? error: msys: signature from "David Macek " is invalid This happen when I execute command. sudo pacman-key --populate msys

Earlier I was playing around with my PinePhone running postmarketOS Edge (based on Alpine Linux Edge) and while installing gcc-go using apk via the command sudo apk add gcc-go the phone froze. As such, I did a forced power off and booted it back up. Now, however, when I do sudo apk add gcc-go it gives me the following output: (1/3) Installing libucontext (0.11-r0) ERROR: libucontext-0.11-r0: BAD signature (2/3) Installing libgo (10.2.0-r5) ERROR: libgo-10.2.0-r5: BAD signature (3/3) Installing gcc-go (10.2.0-r5) ERROR: gcc-go-10.2.0-r5: BAD signature 3 errors; 2567 MiB in 711 packages Go is subsequently then not installed, and when adding any package — including ones that aren't gcc-go — I get the same errors. It does stop if I do sudo apk del gcc-go, but if I subsequently attempt to install gcc-go via the same command as earlier the same error arises. It also persists if I add --no-cache to the install operation. Why is this, and what might I do to resolve it so that gcc-go can be installed?

If you go to the VirusTotal link , there is a tab called file info(I think; mine is dutch). You'll see a header called "Authenticode signature block and FileVersionInfo properties" I want to extract the data under the header using Linux cli. Example: > Signature verification Signed file, verified signature > Signing date 7:43 AM 11/4/2014 > Signers > [+] Microsoft Windows > [+] Microsoft Windows Production PCA 2011 > [+] Microsoft Root Certificate Authority 2010 > Counter signers > [+] Microsoft Time-Stamp Service > [+] Microsoft Time-Stamp PCA 2010 > [+] Microsoft Root Certificate Authority 2010 I used the Camera.exe in Windows 10, to somehow extract the data. I extracted the .exe file, and found a CERTIFICATE file in it, there is a lot of unreadable data, but also some text, I can read, that is - roughly - the same like the above output. How can I extract Signatures from a Windows .exe file under Linux using cli

I am trying to automate downloading the monthly Microsoft cab file for windows updates via my ubuntu server. I would like to verify the digital signature before marking it as good (last few months MS has been screwing it up. Windows has a tool called signtool. Is there an equivalent tool or another process? (I am currently running Ubuntu 15.04)

When I try to run my Kali Linux system with secure boot on, GRUB returns error: /boot/vmlinuz-6.6.9-amd64 has invalid signature. I don't want to turn off secure boot. I have followed the directions from here: https://www.reddit.com/r/archlinux/comments/10pq74e/my_easy_method_for_setting_up_secure_boot_with I used the command grub-install --target=x86_64-efi --efi-directory=/boot/efi --modules="tpm" --disable-shim-lock to reinstall grub. I am dual-booting Windows 11 with Kali Linux. I run an HP Envy x360.

I am trying to apt update on my WSL sudo apt-get update but getting this error.

Err:6 https://linux.qmk.fm  focal InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B748CC185DF5DA1

I tried out the below command as this post suggests and tried different urls for --keyserver gpg --recv-keys --keyserver hkp://pgp.mit.edu 8B748CC185DF5DA1 and looked up openpgp https://keys.openpgp.org/search?q=8B748CC185DF5DA1 but no luck there. Is this something you can help me with please? Should I raise this as a qmk_firmware issue?

When I code, build and sign .rpm file for SUSE Linux, it is signed successfully as follows: rpm --checksig -v xxx.rpm Header V4 RSA/SHA256 Signature, key ID 7936b039: OK Header SHA1 digest: OK Header SHA256 digest: OK Payload SHA256 digest: OK V4 RSA/SHA256 Signature, key ID 7936b039: OK MD5 digest: OK But when I copy this file to a **SUSE Linux Enterprise 12 SP3** PC and recheck, the result is as follows: rpm --checksig -v xxx.rpm Header V4 RSA/SHA256 Signature, key ID 7936b039: NOKEY Header SHA1 digest: OK (62415d048bc9e59e70037e94e41e54e1087a93af) V4 RSA/SHA256 Signature, key ID 7936b039: NOKEY MD5 digest: OK (bde2174905b9e9b05953b148385ed99a) And then while installing, I get an error: xxx.rpm: Header V4 RSA/SHA256 Signature, key ID 7936b039: NOKEY V4 RSA/SHA256 Signature, key ID 7936b039: NOKEY xxx-15.4.2.1-0.x86_64 (Plain RPM files cache): Signature verification failed [4-Signatures public key is not available] Abort, retry, ignore? [a/r/i] (a): I researched some solutions on the Internet and I tried to re-import public key file (I created when signing RPM file) before installing: sudo rpm --import RPM-GPG-KEY-faleman But it's still failed. What is the reason of this issue? How can I sign my .RPM file to be able to install successfully on SUSE Linux without getting error messages?

Suppose Bob got a message from Alice encrypted with his public key and signed with her private key. Now he wants to prove to Charlie that he got a message from her with this exact content. The message was created via gpg --sign --encrypt. My idea was that he could decrypt the message and save it with its signature somewhere but I could find no way to achieve this. But since GPG signs the message and then encrypts it afterwards this should at least theoretically be possible. Now how can he do this or do you have any other ideas how Bob can proof the message authenticity to Charlie? Restrictions: - Giving Charlie Bobs private key is (obviously) not an option. - Communication is only possible via email. - Alice cannot be contacted any more so resending the message or Charlie and Alice communicating with each other is not possible. Bob has to work with what he already has.