My understanding is that
downloads gpg --verify Trezor-Suite-23.12.3-mac-x64.dmg.asc
gpg: assuming signed data in ‘Trezor-Suite-23.12.3-mac-x64.dmg’
gpg: Signature made 三 12/20 02:22:26 2023 HKT
gpg: using RSA key EB483B26B078A4AA1B6F425EE21B6950A2ECB65C
gpg: Good signature from “SatoshiLabs 2021 Signing Key” [ultimate]
Tells you that the fingerprint of the signature key satoshilabs-2021-signing-key.asc match the hash file.Trezor-Suite-23.12.3-mac-x64.dmg.asc
But how to verify that the Hash file Trezor-Suite-23.12.3-mac-x64.dmg.asc is actually the hash of the software Trezor-Suite-23.12.3-mac-x64.dmg ?
Seems to me that we have 3 files but gpg check the integrity of only two as I don;t see any reference to the executable itself in the command line… first time using terminal so apologies if I am missing something
High-level, what is going on is that a signer (owner of the key “SatoshiLabs 2021”) produced a signature (the .asc file) of some data (contents of .dmg).
The verification command (gpg --verify) ensures that the three pieces of data go together: it was this signer who produced this signature of this data.
The output actually tells you:
Again, you can easily check that this is actually happening. Change the contents of the .dmg file, for instance, download an older Suite and rename it to Trezor-Suite-23.12.3-mac-x64.dmg. The verification will fail, because the data will not match the signature.
thank you for spending the time to educate me on this, I thought the gpg – verify was just checking that the signature was produced by the signer and didn;t check the content of .dmg,
Now I understand that gpg --verify ensure that the three pieces of data go together.