Quick & Dirty PGP / GPG Verification

Quick & Dirty commands to verify a Download with GPG:

Make 3 Downloads:
File
File.sig
Author.asc

Import Author’s key:
gpg –import Author.asc

Verify File
gpg –verify File.sig
(note: will probably get an unsigned warning because you don’t trust the key) OK – BUt verify key finger print to make sure that it is author’s

Example:
user@host:~/Downloads$ gpg –import TrueCrypt-Foundation-Public-Key.asc
gpg: key F0D6B1E0: public key “TrueCrypt Foundation <contact@truecrypt.org>” imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found

user@host:~/Downloads$ gpg –verify truecrypt-6.3a-linux-x86.tar.gz.sig
gpg: Signature made Fri 02 Apr 2010 04:40:07 PM EDT using DSA key ID F0D6B1E0
gpg: Good signature from “TrueCrypt Foundation <contact@truecrypt.org>”
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C5F4 BAC4 A7B2 2DB8 B8F8  5538 E3BA 73CA F0D6 B1E0

From:
How to Verify Digital Signatures

Leave a Reply