--
This quick tutorial will show you how to use GPG to verify the signatures of software packages. The goal is to verify that the software is coming from a trusted source. This guide is for Linux, but will also work on Mac OS X. You'll just need to download the GPG suite from [gpgtools.org] before starting (and of course, ideally you should verify this package too!).
- Youtube link
- Archive.org mirror
- Torrent
- Keybase mirror
REQUIREMENTS
Firstly, you will need the signed software package that you wish to verify (in this case, I called it example_software.tar.bz2).
You also need the corresponding signature, which basically has the same file name, with .sig on the end.
Thirdly, you need the public key from whoever signed the package. In this example, the file is called public.asc.
HOW-TO GUIDE
Step 1. Make sure the required files are in the same directory. Open up terminal and change directory if necessary. In this example, everything is on the Desktop.
cd ~/DesktopStep 2. Import the public key by typing the following:
gpg --import public.ascPress enter, and you'll see a confirmation
Step 3. Verify the key fingerprint. These are usually publicly posted on either the developer's website, on twitter bios or on sites like keybase.io. The aim is to match what you see on your terminal to what has been publicly posted, in order to prove it's from the correct person.
gpg --fingerprint 4F25E3B6Step 4. The final step is to verify the software package:
gpg --verify example_software.tar.bz2{.sig,}The bit you're looking for is "Good signature" message. The key ID should be the same as the one you imported a few steps back. The other warning basically means we haven't given a trust rating to the key to prove that it belongs to the right person. However, checking the fingerprint like we did earlier should suffice for most cases.
FINISHED
You've now successfully verified the signature of the software package. In most cases this should add a bit more security to your system, but remember it's not a magic bullet. It only works if the public key used to sign the software hasn't itself been compromised.
--
BY NODE