before install verify download signature

Is there an example of a command line for verifying the bro package before installing?

The file from the bro website bro-2.5.4.tar.gz

using shasum -a 256 has the result

80daea433fa654f2602cf67b19b9121ff6ad57761bad73cc29020c4f490c5f1f

but I do not see a number on the site to compare this with.

It does have the file for asc signature, however gpg doesn’t seem to work with asc

https://www.bro.org/downloads/bro-aux-0.39.tar.gz.asc

I’m doing this on osx sierra.

Before I posted, I did look through several months of messages for discussion/example.

Thanks.

$ wget https://www.bro.org/downloads/bro-2.5.4.tar.gz
--2018-08-02 09:26:39-- https://www.bro.org/downloads/bro-2.5.4.tar.gz
Resolving www.bro.org... 192.150.187.43
Connecting to www.bro.org|192.150.187.43|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18520847 (18M) [application/x-gzip]
Saving to: 'bro-2.5.4.tar.gz'

bro-2.5.4.tar.gz 100%[==============================================>] 17.66M 8.40MB/s in 2.1s

2018-08-02 09:26:41 (8.40 MB/s) - 'bro-2.5.4.tar.gz' saved [18520847/18520847]

$ wget https://www.bro.org/downloads/bro-2.5.4.tar.gz.asc
--2018-08-02 09:26:43-- https://www.bro.org/downloads/bro-2.5.4.tar.gz.asc
Resolving www.bro.org... 192.150.187.43
Connecting to www.bro.org|192.150.187.43|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 801 [text/plain]
Saving to: 'bro-2.5.4.tar.gz.asc'

bro-2.5.4.tar.gz.asc 100%[==============================================>] 801 --.-KB/s in 0s

2018-08-02 09:26:43 (54.6 MB/s) - 'bro-2.5.4.tar.gz.asc' saved [801/801]

$ gpg --verify bro-2.5.4.tar.gz.asc
gpg: assuming signed data in 'bro-2.5.4.tar.gz'
gpg: Signature made Wed May 30 11:32:36 2018 EDT
gpg: using RSA key C68B494DF56ACC7E
gpg: Good signature from "The Bro Team <info@bro.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 962F D218 7ED5 A1DD 82FC 478A 33F1 5EAE F8CB 8019
     Subkey fingerprint: E969 0B2B 7D8A C1A1 9F92 1C4A C68B 494D F56A CC7E
$

hi Thanks.

I follwed your example, it did this…not the same response

cmm$ gpg --verify bro-2.5.4.tar.gz.asc
gpg: assuming signed data in ‘bro-2.5.4.tar.gz’
gpg: Signature made Wed May 30 08:32:36 2018 PDT
gpg: using RSA key C68B494DF56ACC7E
gpg: Can’t check signature: No public key

Charlie

ps.

In the email verification I recieved when I signed up for bro.org whoever created it/sent it put my

account password in there, no encryption, just right there, bold as brass.

Hi Charlie,

It looks like you need to import the Bro public key into your GPG keyring.

As far as the password goes, this is the warning displayed right under the password prompt when you register:

You may enter a privacy password below. This provides only mild security, but should prevent others from messing with your subscription. Do not use a valuable password as it will occasionally be emailed back to you in cleartext.

If you choose not to enter a password, one will be automatically generated for you, and it will be sent to you once you’ve confirmed your subscription. You can always request a mail-back of your password when you edit your personal options. Once a month, your password will be emailed to you as a reminder.

–Vlad