How To Check the Authenticity of a File With GPG

A good practice preventing tempering with a file during download is to check the signature with gpg. In this short note, I will describe how to do it, because it is a hassle to look it up all the time in the gpg man page.

Download And Import The Signature

The public key of the signer must be imported into gpg in order to check the authenticity of the file. Normally, you can download the public key of the signer from his site. For example, to get my public key:

/Users/winfried/

    Winfrieds-iMac:MacOS winfried$ curl https://sunkiddance.bplaced.net/pgp/pgp-public-key-winfried.txt
                                   > winfried@sunkiddance.de-public-key.asc
    Winfrieds-iMac:MacOS winfried$ file winfried\@sunkiddance.de-public-key.asc
    winfried@sunkiddance.de-public-key.asc: PGP public key block
    Winfrieds-iMac:MacOS winfried$ cat winfried\@sunkiddance.de-public-key.asc  |
                                   gpg --keyid-format long --import
    gpg: key 06BEA18B90188FFD: public key "Winfried Dietmayer " imported
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
    Winfrieds-iMac:MacOS winfried$
    	      

Check The Signature

After importing the key of the signer, you can check the signature of a file, say 'lyrics-cmus.sh':

/Users/winfried/

    Winfrieds-iMac:MacOS winfried$ gpg --verify lyrics-cmus.sh.asc ./lyrics-cmus.sh
    gpg: Signature made Sa 11 Feb 2017 14:50:11 CET using RSA key ID 90188FFD
    gpg: Good signature from "Winfried Dietmayer "
    Primary key fingerprint: 7CFF F224 EFA8 CF7F B098  16B1 06BE A18B 9018 8FFD
    Winfrieds-iMac:MacOS winfried$
    	      
Note the order of the files: The signature file first followed by the file to be checked.