How to Verify a GPG Signature

Introduction

This tutorial covers the process of verifying a GPG signature, which is commonly done to verify the authenticity of a email, document, or downloaded file to ensure it came from the expected source. This only covers verifying signature and not creating them. To learn how to sign and how to sign-and-encrypt, read GPG Tutorial - Signatures.

GPG offers a lot more functionality than just verifying signatures though. To learn more about GPG in general and how to manage keys, encrypt, sign, and more, read my GPG Tutorial.

In some situations you don't have a GPG signature to verify, but you are provided with an MD5 or SHA1 hash. This hash/checksum allows you to verify the integrity of the download, but does not give you any information about the author or sender, the way a GPG signature does. To learn more about checksums, read How to Verify a Checksum.

Steps

To verify a signature there are a few important steps:

1) Import the public GPG key of the author/sender 2) Obtain the signature file 3) Verify the signature file

Import the public key

In order to verify a signature, you will first need the public GPG key of the person who created the signature. There are many ways you can obtain someone's public key, including:

  • Physically obtaining a copy directly from someone (e.g. file on a USB drive)
  • Download it from the internet (e.g. from someone's website)
  • Download it from a public key server (e.g. https://pgp.mit.edu)

For example, if you want to obtain the public DevDungeon GPG key to verify a download or to email [email protected], you can find it at https://www.devdungeon.com/gpg.

Once you have obtained a public key, you want to import it to your local keystore. You can do this by running gpg with the --import flag like this:

gpg --import [public-key-file]

You can also download a key directly from a public key server if you know the ID. This example shows you how to import NanoDano's public DevDungeon GPG key from the MIT server:

gpg --keyserver pgp.mit.edu  --recv C104CDF0EDA54C82

Obtain the signature file

The signature file is provided by the person who provided the original file.

There are detached signatures and attached signatures. Attached signatures are single files that include the original file and the signature combined. Detached signatures only include the signature, with the original file being separate.

Depending on whether the signature was created as attached or detached, you might receive a single file or two separate files. Signature files commonly end with the .sig extension but that is not required.

Verify the signature

If the signature is attached, you only need to provide the single file name as an argument. If the file is also encrypted, you will also need to add the --decrypt flag.

# Verify only
gpg --verify [signature-file]
# Verify and extract original document from attached signature
gpg --output [original-filename] [signature-file]

If the signature is detached, it will try to automatically determine the original file name based off of similar filenames with different extensions. For example, if your signature file is myfile.sig it will look for a file named myfile to use with the signature. If the filenames are too different or it can't determine things automatically, you can provide both file names explicitly.

gpg --verify [signature-file] [original-file]

Conclusion

After reading this, you should know how to verify a GPG signature, and why you would want to. You should understand diff between detached and attached signature. You should also understand the difference between GPG signing, GPG encryption, and checksum verification.

References