- Categories
- Computers and Electronics
- Software
Download Article
A step-by-step guide that helps you figure out if the GPG signature is verified
Explore this Article
parts
1Downloading What You Need
2Using GPG to Verify that someone's Secret Key Signed the File in Question
Other Sections
Things You'll Need
Related Articles
Author Info
Last Updated: August 28, 2023
Download Article
This wikiHow guide details a clear 1-minute process to verify that a file in your possession was digitally signed by a particular GPG Secret Key and has been unmodified since the time of signing.
Part 1
Part 1 of 2:
Downloading What You Need
Download Article
To verify your belief that someone has signed a file, you will need a copy of that person's Public Key, a copy of the file, and a copy of the signature-file that was allegedly created through the interaction of the person's Secret Key and the file.
1
Acquire the Public Key.
- Import the Public Key into GPG.
2
Acquire a copy of the file in question.
See AlsoHow to Verify PGP Signature of Downloaded Software on Linux - LinuxBabe15 reasons not to start using PGPPGP Signatures - Unified AutomationPGP vs GPG: The Key Differences Explained- Save it in a Folder.
Advertisem*nt
3
Acquire a copy of the signature-file in question.
- Save it in the same Folder.
Advertisem*nt
Part 2
Part 2 of 2:
Using GPG to Verify that someone's Secret Key Signed the File in Question
Download Article
GPG will help you verify the relationship between your three files.
1
Open a command-line interface.
- Change the working directory to the Folder where your file and signature-file are saved.
2
Verify the signature.
- Type the following command into a command-line interface:
gpg --verify [signature-file] [file]
- E.g., if you have acquired
- (1) the Public Key 0x416F061063FEE659,
- (2) the Tor Browser Bundle file (tor-browser.tar.gz), and
- (3) the signature-file posted alongside the Tor Browser Bundle file (tor-browser.tar.gz.asc),
- You would type the following:
gpg --verify tor-browser.tar.gz.asc tor-browser.tar.gz
Advertisem*nt
Community Q&A
Search
Question
This guide shows how it's done on Windows, how is this done on Linux and macOS? In the same way or is it different?
Radj307
Community Answer
The method is identical for all platform-specific implementations of the GPG utility.
Thanks! We're glad this was helpful.
Thank you for your feedback.
If wikiHow has helped you, please consider a small contribution to support us in helping more readers like you. We’re committed to providing the world with free how-to resources, and even $1 helps us in our mission.Support wikiHowSee AlsoGpg4win - Check IntegrityYesNo
Not Helpful 3Helpful 3
Question
'GPG' is not recognized as an internal or external command, operable program or batch file. What is wrong?
Radj307
Community Answer
You will need GPG installed to be able to use the GPG command. On Windows, you can use GPG4Win.
Thanks! We're glad this was helpful.
Thank you for your feedback.
If wikiHow has helped you, please consider a small contribution to support us in helping more readers like you. We’re committed to providing the world with free how-to resources, and even $1 helps us in our mission.Support wikiHowYesNo
Not Helpful 1Helpful 3
Question
How can I acquire the Public Key in Part 1 for the file targeted for download?
Radj307
Community Answer
The distributor of the file likely has their PGP public key somewhere on their website.
Thanks! We're glad this was helpful.
Thank you for your feedback.
If wikiHow has helped you, please consider a small contribution to support us in helping more readers like you. We’re committed to providing the world with free how-to resources, and even $1 helps us in our mission.Support wikiHowYesNo
Not Helpful 1Helpful 2
Ask a Question
200 characters left
Include your email address to get a message when this question is answered.
Advertisem*nt
Warning
- Although you are now certain the Secret Key bound to the Public Key you possess was used to sign the file, you must still take precautions to ensure that this Public Key actually belongs to the person you believe it belongs to. Nothing prevents an adversary from making keys that appear to belong to someone.
- If you have not imported someone's Public Key to your GPG Keyring, this procedure does not work.
- The person may name the signature-file anything they want: the names of the file and the signature-file do not need to be similar or related.
Things You'll Need
- GPG Encryption Engine
- Signed file
- Signature-file
- GPG Public Key
You Might Also Like
Advertisem*nt
About This Article
wikiHow is a “wiki,” similar to Wikipedia, which means that many of our articles are co-written by multiple authors. To create this article, volunteer authors worked to edit and improve it over time. This article has been viewed 191,399 times.
How helpful is this?
Co-authors: 6
Updated: August 28, 2023
Views:191,399
Categories: Software
- Send fan mail to authors
Thanks to all authors for creating a page that has been read 191,399 times.
Is this article up to date?
Advertisem*nt