How to Verify a GPG Signature

PDF download Download Article
A step-by-step guide that helps you figure out if the GPG signature is verified
PDF download Download Article

This wikiHow guide details a clear 1-minute process to verify that a file in your possession was digitally signed by a particular GPG Secret Key and has been unmodified since the time of signing.

Part 1
Part 1 of 2:

Downloading What You Need

PDF download Download Article

To verify your belief that someone has signed a file, you will need a copy of that person's Public Key, a copy of the file, and a copy of the signature-file that was allegedly created through the interaction of the person's Secret Key and the file.

  1. {"smallUrl":"https:\/\/www.wikihow.com\/images\/thumb\/d\/d0\/Verify-a-GPG-Signature-Step-1.jpg\/v4-460px-Verify-a-GPG-Signature-Step-1.jpg","bigUrl":"\/images\/thumb\/d\/d0\/Verify-a-GPG-Signature-Step-1.jpg\/aid3568678-v4-728px-Verify-a-GPG-Signature-Step-1.jpg","smallWidth":460,"smallHeight":345,"bigWidth":728,"bigHeight":546,"licensing":"<div class=\"mw-parser-output\"><p>License: <a target=\"_blank\" rel=\"nofollow noreferrer noopener\" class=\"external text\" href=\"https:\/\/en.wikipedia.org\/wiki\/Fair_use\">Fair Use<\/a> (screenshot)<br>\n<\/p><\/div>"}
    • Import the Public Key into GPG.
  2. {"smallUrl":"https:\/\/www.wikihow.com\/images\/thumb\/7\/72\/Verify-a-GPG-Signature-Step-2.jpg\/v4-460px-Verify-a-GPG-Signature-Step-2.jpg","bigUrl":"\/images\/thumb\/7\/72\/Verify-a-GPG-Signature-Step-2.jpg\/aid3568678-v4-728px-Verify-a-GPG-Signature-Step-2.jpg","smallWidth":460,"smallHeight":345,"bigWidth":728,"bigHeight":546,"licensing":"<div class=\"mw-parser-output\"><p>License: <a target=\"_blank\" rel=\"nofollow noreferrer noopener\" class=\"external text\" href=\"https:\/\/en.wikipedia.org\/wiki\/Fair_use\">Fair Use<\/a> (screenshot)<br>\n<\/p><\/div>"}
    • Save it in a Folder.
    Advertisement
  3. {"smallUrl":"https:\/\/www.wikihow.com\/images\/thumb\/3\/3b\/Verify-a-GPG-Signature-Step-3.jpg\/v4-460px-Verify-a-GPG-Signature-Step-3.jpg","bigUrl":"\/images\/thumb\/3\/3b\/Verify-a-GPG-Signature-Step-3.jpg\/aid3568678-v4-728px-Verify-a-GPG-Signature-Step-3.jpg","smallWidth":460,"smallHeight":345,"bigWidth":728,"bigHeight":546,"licensing":"<div class=\"mw-parser-output\"><p>License: <a target=\"_blank\" rel=\"nofollow noreferrer noopener\" class=\"external text\" href=\"https:\/\/en.wikipedia.org\/wiki\/Fair_use\">Fair Use<\/a> (screenshot)<br>\n<\/p><\/div>"}
    • Save it in the same Folder.
    4. Advertisement
Part 2
Part 2 of 2:

Using GPG to Verify that someone's Secret Key Signed the File in Question

PDF download Download Article

GPG will help you verify the relationship between your three files.

  1. {"smallUrl":"https:\/\/www.wikihow.com\/images\/thumb\/7\/72\/Verify-a-GPG-Signature-Step-4.jpg\/v4-460px-Verify-a-GPG-Signature-Step-4.jpg","bigUrl":"\/images\/thumb\/7\/72\/Verify-a-GPG-Signature-Step-4.jpg\/aid3568678-v4-728px-Verify-a-GPG-Signature-Step-4.jpg","smallWidth":460,"smallHeight":345,"bigWidth":728,"bigHeight":546,"licensing":"<div class=\"mw-parser-output\"><p>License: <a target=\"_blank\" rel=\"nofollow noreferrer noopener\" class=\"external text\" href=\"https:\/\/en.wikipedia.org\/wiki\/Fair_use\">Fair Use<\/a> (screenshot)<br>\n<\/p><\/div>"}
    • Change the working directory to the Folder where your file and signature-file are saved.
  2. {"smallUrl":"https:\/\/www.wikihow.com\/images\/thumb\/8\/85\/Verify-a-GPG-Signature-Step-5.jpg\/v4-460px-Verify-a-GPG-Signature-Step-5.jpg","bigUrl":"\/images\/thumb\/8\/85\/Verify-a-GPG-Signature-Step-5.jpg\/aid3568678-v4-728px-Verify-a-GPG-Signature-Step-5.jpg","smallWidth":460,"smallHeight":345,"bigWidth":728,"bigHeight":546,"licensing":"<div class=\"mw-parser-output\"><p>License: <a target=\"_blank\" rel=\"nofollow noreferrer noopener\" class=\"external text\" href=\"https:\/\/en.wikipedia.org\/wiki\/Fair_use\">Fair Use<\/a> (screenshot)<br>\n<\/p><\/div>"}
    • Type the following command into a command-line interface:
    • gpg --verify [signature-file] [file]
    • E.g., if you have acquired
    • (1) the Public Key 0x416F061063FEE659,
    • (2) the Tor Browser Bundle file (tor-browser.tar.gz), and
    • (3) the signature-file posted alongside the Tor Browser Bundle file (tor-browser.tar.gz.asc),
    • You would type the following:
    • gpg --verify tor-browser.tar.gz.asc tor-browser.tar.gz
    3. Advertisement

Community Q&A

Search
Add New Question
  • Question
    This guide shows how it's done on Windows, how is this done on Linux and macOS? In the same way or is it different?
    Radj307
    Community Answer
    The method is identical for all platform-specific implementations of the GPG utility.
    Thanks! We're glad this was helpful.
    Thank you for your feedback.
    If wikiHow has helped you, please consider a small contribution to support us in helping more readers like you. We’re committed to providing the world with free how-to resources, and even $1 helps us in our mission. Support wikiHow
    Yes No
    Not Helpful 3 Helpful 4
  • Question
    'GPG' is not recognized as an internal or external command, operable program or batch file. What is wrong?
    Radj307
    Community Answer
    You will need GPG installed to be able to use the GPG command. On Windows, you can use GPG4Win.
    Thanks! We're glad this was helpful.
    Thank you for your feedback.
    If wikiHow has helped you, please consider a small contribution to support us in helping more readers like you. We’re committed to providing the world with free how-to resources, and even $1 helps us in our mission. Support wikiHow
    Yes No
    Not Helpful 1 Helpful 3
  • Question
    How can I acquire the Public Key in Part 1 for the file targeted for download?
    Radj307
    Community Answer
    The distributor of the file likely has their PGP public key somewhere on their website.
    Thanks! We're glad this was helpful.
    Thank you for your feedback.
    If wikiHow has helped you, please consider a small contribution to support us in helping more readers like you. We’re committed to providing the world with free how-to resources, and even $1 helps us in our mission. Support wikiHow
    Yes No
    Not Helpful 1 Helpful 2
Ask a Question
200 characters left
Include your email address to get a message when this question is answered.
Submit
      Advertisement

      Video

      Tips

      Submit a Tip
      All tip submissions are carefully reviewed before being published
      Name
      Please provide your name and last initial
      Submit
      Thanks for submitting a tip for review!

      Warning

      • Although you are now certain the Secret Key bound to the Public Key you possess was used to sign the file, you must still take precautions to ensure that this Public Key actually belongs to the person you believe it belongs to. Nothing prevents an adversary from making keys that appear to belong to someone.
      • If you have not imported someone's Public Key to your GPG Keyring, this procedure does not work.
      • The person may name the signature-file anything they want: the names of the file and the signature-file do not need to be similar or related.

      Things You'll Need

      • GPG Encryption Engine
      • Signed file
      • Signature-file
      • GPG Public Key


      You Might Also Like

      How to
      Play Minesweeper
      How to
      Add the Google Play Store to an Amazon Fire Tablet
      How to
      Open EPUB Files
      Using Rufus to Create Bootable USB Drives: A Step-By-Step Guide
      A Step-by-Step Guide to Compare Two Excel Files
      How to
      Save an Animation in Blender
      How to
      Make an Exe File
      How to
      Change the Hostname on Linux Without Rebooting
      How to
      Add a Password to a RAR File
      How to
      Crack Software by Modifying DLL Files
      2 Simple Ways to Create an RSS Feed
      How to
      Edit DLL Files
      Why Is Your Child's Screen Time Not Showing? Troubleshooting Apple Family Sharing
      How to
      Turn on Microsoft Defender in Windows 10 and 11
      Advertisement

      About This Article

      Thanks to all authors for creating a page that has been read 203,631 times.

      Is this article up to date?

      Advertisement