How To Verify Files and Signatures with PGP In Linux? – POFTUT

How To Verify Files and Signatures with PGP In Linux?


GnuPG is an opensource and popular alternative to the PGP. PGP provides encryption-related function. PGP provides a hash function like standard Linux packages. We will look ow to verify files downloaded from the internet with their PGP signatures to verify.

Find PGP Information

In this example, we will use the Apache source code. Apache PGP signature can be found and downloaded like below.

$ wget https://www.apache.org/dist/httpd/httpd-2.4.38.tar.bz2.asc
Find PGP Information
Find PGP Information

We can see that the signature file have asc extension with the same name with the compressed source code file.

Download Apache Source

We will download Apache source code related with previously downloaded PGP signature.

$ wget https://www.apache.org/dist/httpd/httpd-2.4.38.tar.bz2
Download Apache Source
Download Apache Source

Verify Source Code

We will verify downloaded Apache source code with PGP by providing the signature file. We will just provide the asc file which will match the source file in the same directory.

$ gpg httpd-2.4.38.tar.bz2.asc
Verify Source Code
Verify Source Code

There is a problem Can’t check signature: No Public key error. This is because we havent added the Public key of the Apache from a server.

Add Public Key Server

We will add the public key server to check our signature file. We will use --keyserver option in order to specify the GPG key server which can be an IP address or hostname. Then we will use the --recv-key option and provide the ID of the RSA key which is provided with the asc file.

$ gpg --keyserver pgpkeys.mit.edu --recv-key B9E8213AEFB861AF35A41F2C995E35221AD84DFF
Add Public Key Server
Add Public Key Server

We have successfully received a public key from the server. We can see there is some information about the imported key.

  • Some name and web address about the key is provided.
  • `Total number processed` shows total keys processes which is 1 in this example.
  • `Imported` is imported key count which is 1 in this example.
LEARN MORE  Introduction To Squid Proxy Tutorial with Examples

Check Again Signature File

We will check the signature file again. I hope it works.

$ gpg httpd-2.4.38.tar.bz2.asc
Check Again Signature File
Check Again Signature File

We can see that the signed data is determined. Also, the RSA key is printed to the screen. The signer information also provided which is Daniel Ruggeri.

1 thought on “How To Verify Files and Signatures with PGP In Linux?”

Leave a Comment