How to Verify a GPG Signature

A step-by-step guide that helps you figure out if the GPG signature is verified

This how-to explains a clear and step-by-step, 1-minute process to verify that a file in your possession was digitally signed by a particular GPG Secret Key and has been unmodified since the time of signing.

Part 1
Part 1 of 2:

Downloading What You Need

To verify your belief that someone has signed a file, you will need a copy of that person's Public Key, a copy of the file, and a copy of the signature-file that was allegedly created through the interaction of the person's Secret Key and the file.

  1. Image titled Verify a GPG Signature Step 1
    1
    Acquire the Public Key.
    • Import the Public Key into GPG.
  2. Image titled Verify a GPG Signature Step 2
    2
    Acquire a copy of the file in question.
    • Save it in a Folder.
    Advertisement
  3. Image titled Verify a GPG Signature Step 3
    3
    Acquire a copy of the signature-file in question.
    • Save it in the same Folder.
    4. Advertisement
Part 2
Part 2 of 2:

Using GPG to Verify that someone's Secret Key Signed the File in Question

GPG will help you verify the relationship between your three files.

  1. Image titled Verify a GPG Signature Step 4
    1
    Open a command-line interface.
    • Change the working directory to the Folder where your file and signature-file are saved.
  2. Image titled Verify a GPG Signature Step 5
    2
    Verify the signature.
    • Type the following command into a command-line interface:
    • gpg --verify [signature-file] [file]
    • E.g., if you have acquired
    • (1) the Public Key 0x416F061063FEE659,
    • (2) the Tor Browser Bundle file (tor-browser.tar.gz), and
    • (3) the signature-file posted alongside the Tor Browser Bundle file (tor-browser.tar.gz.asc),
    • You would type the following:
    • gpg --verify tor-browser.tar.gz.asc tor-browser.tar.gz
    3. Advertisement

Community Q&A

  • Question
    This guide shows how it's done on Windows, how is this done on Linux and macOS? In the same way or is it different?
    Radj307
    Radj307
    Community Answer
    The method is identical for all platform-specific implementations of the GPG utility.
  • Question
    'GPG' is not recognized as an internal or external command, operable program or batch file. What is wrong?
    Radj307
    Radj307
    Community Answer
    You will need GPG installed to be able to use the GPG command. On Windows, you can use GPG4Win.
  • Question
    How can I acquire the Public Key in Part 1 for the file targeted for download?
    Radj307
    Radj307
    Community Answer
    The distributor of the file likely has their PGP public key somewhere on their website.
Advertisement

Warning

  • Although you are now certain the Secret Key bound to the Public Key you possess was used to sign the file, you must still take precautions to ensure that this Public Key actually belongs to the person you believe it belongs to. Nothing prevents an adversary from making keys that appear to belong to someone.
  • If you have not imported someone's Public Key to your GPG Keyring, this procedure does not work.
  • The person may name the signature-file anything they want: the names of the file and the signature-file do not need to be similar or related.

Things You'll Need

  • GPG Encryption Engine
  • Signed file
  • Signature-file
  • GPG Public Key


You Might Also Like

Play Minesweeper
How to
Play Minesweeper
Keep Teams from Going IdleHow to Keep Teams from Going Idle: 6 Things to Try
Install the Google Play Store on an Amazon Fire
How to
Install the Google Play Store on an Amazon Fire
Open EPUB Files
How to
Open EPUB Files
Save an Animation in Blender
How to
Save an Animation in Blender
Add a Password to a RAR File
How to
Add a Password to a RAR File
Crack Software by Modifying DLL Files
How to
Crack Software by Modifying DLL Files
Cancel Uber PassHow to End Your Uber Pass or Uber One Subscription in Seconds
Make an Exe File
How to
Make an Exe File
Edit DLL Files
How to
Edit DLL Files
Connect the Kindle Fire to a Computer2 Easy Ways Connect the Kindle Fire to a Computer
Run a .Jar Java File
How to
Run a .Jar Java File
Analyse Data Using SPSS
How to
Analyse Data Using SPSS
Create a SQL Server Database
How to
Create a SQL Server Database
Advertisement

About This Article

wikiHow is a “wiki,” similar to Wikipedia, which means that many of our articles are co-written by multiple authors. To create this article, volunteer authors worked to edit and improve it over time. This article has been viewed 153,741 times.
How helpful is this?
Co-authors: 6
Updated: June 2, 2022
Views: 153,741
Categories: Software
Advertisement