GnuPG is an opensource and popular alternative to the PGP. PGP provides encryption-related function. PGP provides a hash function like standard Linux packages. We will look ow to verify files downloaded from the internet with their PGP signatures to verify.
Find PGP Information
In this example, we will use the Apache source code. Apache PGP signature can be found and downloaded like below.
$ wget https://www.apache.org/dist/httpd/httpd-2.4.38.tar.bz2.asc

We can see that the signature file have asc
extension with the same name with the compressed source code file.
Download Apache Source
We will download Apache source code related with previously downloaded PGP signature.
$ wget https://www.apache.org/dist/httpd/httpd-2.4.38.tar.bz2

Verify Source Code
We will verify downloaded Apache source code with PGP by providing the signature file. We will just provide the asc
file which will match the source file in the same directory.
$ gpg httpd-2.4.38.tar.bz2.asc

There is a problem Can’t check signature: No Public key error. This is because we havent added the Public key of the Apache from a server.
Add Public Key Server
We will add the public key server to check our signature file. We will use --keyserver
option in order to specify the GPG key server which can be an IP address or hostname. Then we will use the --recv-key
option and provide the ID of the RSA key which is provided with the asc file.
$ gpg --keyserver pgpkeys.mit.edu --recv-key B9E8213AEFB861AF35A41F2C995E35221AD84DFF

We have successfully received a public key from the server. We can see there is some information about the imported key.
- Some name and web address about the key is provided.
- `Total number processed` shows total keys processes which is 1 in this example.
- `Imported` is imported key count which is 1 in this example.
Check Again Signature File
We will check the signature file again. I hope it works.
$ gpg httpd-2.4.38.tar.bz2.asc

We can see that the signed data is determined. Also, the RSA key is printed to the screen. The signer information also provided which is Daniel Ruggeri
.
1 thought on “How To Verify Files and Signatures with PGP In Linux?”