PDF download Download Article PDF download Download Article

This wikiHow teaches you how to verify the PGP signature of a downloaded file. You should always verify the PGP signature of a signed file to make sure the version you downloaded is official. To verify the signature, you'll need the publisher's public key, the software's signature file, and GnuPG. GnuPG is preinstalled in all Linux distributions, but you'll need to install it if you're using Windows or macOS.

Method 1
Method 1 of 2:

Linux & macOS

PDF download Download Article
  1. If you're using a Linux installation outside of macOS, you can skip this step. macOS users should first install Homebrew, and then use it to install the GnuPG software package:
  2. This is the file that ends with .sig. Be sure to save the signature file to the same directory as the file you want to check.
    • An easy way to do this is from the command prompt is to cd into the appropriate directory and download the file using wget https://path/to/signaturefile.sig .
    Advertisement
  3. You can usually download this from the signer's website or by saving an email attachment to your computer. The public key file usually ends with .asc.
    • As with downloading the signature file, you can use wget to download the public key.
    • If you have the key ID but not a path to download the file, use this command to get the key: gpg --recv-keys KEYID . If you receive the key this way, skip step 4 and go directly to step 5.
  4. You can do this with the following command in a terminal window:
    • gpg --import PUBLICKEY .
    • Replace PUBLICKEY with the actual file name. [3]
  5. Now that all of the files are in their correct locations, you can verify the signature with the following command:
    • gpg --verify SIGNATURE.SIG FILE .
    • Replace SIGNATURE.SIG with the signature file name, and FILE with the name of the file you want to verify.
    • If the output says "Good Signature," you've successfully verified the key. If the signature is bad, you'll know the file is broken or has been edited since the signing.
  6. Advertisement
Method 2
Method 2 of 2:

Windows

PDF download Download Article
  1. You can get the application from https://www.gpg4win.org/download.html . During the installation, you'll see a list of apps that will be installed—just keep the default options selected.
    • The default installation location is C:\Program Files (x86)\Gnu\GnuPg\gpg.exe. When you run the command required to verify the signature, you'll need to enter the full path to the gpg.exe file. If you choose a different install location, make sure you remember the full path. [4]
  2. This is the file that ends with .sig. You'll need to save the file to the same directory as the file you want to verify.
  3. You can usually download this from the signer's website or by saving an email attachment to your computer. The public key file usually ends with .asc. This should also be saved to the same folder.
  4. It's the folder icon on the taskbar. You can also open it by pressing the Windows key + E . [5]
  5. If you don't see a navigation pane in the left panel of File explorer, click the View menu at the top and select Navigation pane and then Navigation pane again to bring it up. This makes it easier to find what you're looking for.
  6. A menu will expand.
  7. If you don't see that option, select Open PowerShell window here .
  8. Here's how:
    • Type C:\Program Files (x86)\Gnu\GnuPg\gpg.exe --import PUBLICKEY and press Enter . Replace PUBLICKEY with the actual file name.
    • If you don't have a file containing the public key, but you do have a key ID, use this command instead: C:\Program Files (x86)\Gnu\GnuPg\gpg.exe --recv-keys KEYID .
  9. Now that the files are ready, here's how to verify the signature: [6]
    • C:\Program Files (x86)\Gnu\GnuPg\gpg.exe --verify SIGNATURE.SIG FILE .
    • Replace SIGNATURE.SIG with the signature file name, and FILE with the name of the file you want to verify.
    • If the output says "Good Signature," you've successfully verified the key. If the signature is bad, you'll know the file is broken or has been edited since the signing.
  10. Advertisement

Community Q&A

Search
Add New Question
  • Question
    What is an open source software that can do the same thing? Some of us have special security circumstances.
    Radj307
    Community Answer
    GPG (GNU Privacy Guard), as part of the GNU movement, is open-source software.
Ask a Question
      Advertisement

      Video

      Tips

      Submit a Tip
      All tip submissions are carefully reviewed before being published
      Name
      Please provide your name and last initial
      Thanks for submitting a tip for review!

      About This Article

      Article Summary X

      1. Install GnuPG if you're using a Mac, or GPG4win if you're using Windows.
      2. Download the PGP signature file to the same directory as the file you're checking.
      3. Download the signer's public key to the same location.
      4. Import the key into your public keyring.
      5. Use gpg --verify to verify the signature.

      Did this summary help you?
      Thanks to all authors for creating a page that has been read 273,516 times.

      Is this article up to date?

      Advertisement