Verify Downloaded Files

From Pabut
Jump to: navigation, search

If you haven't done so already import the public key of the file provider into your gpg keyring. Hopefully you're getting the public key from a reliable source.

gpg --import keyfile.asc

Where keyfile.asc is the public key in ascii format. Alternatively, if you leave off the filename the public key can be added to the keyring from stdin (i.e. pasted from a web page) Download the target file AND the gpg signature. The gpg signature will be a separate small file with contents resemble:

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkgaVi4ACgkQakRjwEAQIjO+tQCdEcBUJtHbitrGr+0WSExE4sXM
KTIAmwe/Y3Mwuli2IBlS8H2JvWC7PX3B
=Ucb1
-----END PGP SIGNATURE-----

Run the file and the signature through gpg:

gpg --verify slackware-12.1-install-dvd.iso.asc slackware-12.1-install-dvd.iso
gpg: Signature made Thu 01 May 2008 11:45:50 PM GMT using DSA key ID 40102233
gpg: Good signature from "Slackware Linux Project <security@slackware.com>"
Primary key fingerprint: EC56 49DA 401E 22AB FA67  36EF 6A44 63C0 4010 2233