How to Verify PGP Signature of Downloaded Software on Linux

PGP (Pretty Good Privacy) is a public key cryptography software that can be used to encrypt and sign data communication. In this tutorial, we will look at how to verify the PGP signature of software downloaded from the Internet on Linux.

Linux users can securely install software from their distribution’s repositories. But there are times when you need to download and install software from a website. How can you be sure that the software you downloaded wasn’t tampered with?

Some software authors sign their software using a PGP program such as GPG (GNU Privacy Guard), which is a free software implementation of the OpenPGP standard. In that case, you can verify the integrity of software using GPG.

The process is relatively simple:

  1. You download the public key of the software author.
  2. Check the public key’s fingerprint to ensure that it’s the correct key.
  3. Import the correct public key to your GPG public keyring.
  4. Download the PGP signature file of the software.
  5. Use public key to verify PGP signature. If the signature is correct, then the software wasn’t tampered with.

We will use VeraCrypt as an example to show you how to verify PGP signature of downloaded software.

Example: Verify PGP Signature of VeraCrypt

Although VeraCrypt is open source software, it isn’t included in Ubuntu repository. We can download VeraCrypt Linux installer from official website. I use Ubuntu 20.04 desktop, so I download the .deb file for Ubuntu 20.04.

VeraCrypt-verify-gpg-signature-on-linux

On the VeraCrypt download page, you can also find the PGP public key and PGP signature download link. Click the links to download these two files.  You can run the following command to download PGP public key of VeraCrypt.

wget https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc

Before you do anything with the public key, you must always check the key’s fingerprint to see if it’s the correct key. Display the fingerprint of the key using the command below.

gpg --show-keys VeraCrypt_PGP_public_key.asc

The second line of the output is the key’s fingerprint.

PGP Public Key

If you are using a very old version of GPG (gpg --version) like 1.4.20, then use the following command to display the fingerprint.

gpg --with-fingerprint VeraCrypt_PGP_public_key.asc

Compare it with the fingerprint published on VeraCrypt website.

veracrypt GPG public key fingerprint

As you can see, the two fingerprints are identical, which means the public key is correct. So you can import the public key to your GPG public keyring with:

gpg --import VeraCrypt_PGP_public_key.asc

gpg import veracrypt public key

Now verify the signature of the software installer file using the command below. You need to specify the signature file (.sig) and the software installer file. This is a detached signature, meaning that the signature and software are in separate files.

gpg --verify veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb.sig veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb

The output should say “Good Signature”.

veracrypt verify pgp signature

The signature is a hash value, encrypted with the software author’s private key. GPG uses the public key to decrypt hash value, then calculate the hash value of VeraCrypt installer and compare the two. If these two hash values match, then the signature is good and the software wasn’t tampered with.

If GPG tells you it’s a bad signature, then the software installer was tampered with or corrupted.

Importing Public Key from a Trusted Source

Note that if the software author tells you his/her public key ID on the website, then you can import the public key with the following command, so you don’t have to manually download the PGP public key and import it to your keyring.

gpg --recv-keys <key-ID>

Then display the fingerprint with:

gpg --fingerprint <key-ID>

And compare the fingerprint from output with the one published on website. This is more secure because the public key is imported from a public key server, which by default is set to hkp://keys.gnupg.net in ~/.gnupg/gpg.conf file. There’re hundreds of public keyservers around the world. Ubuntu has their own key server. MIT also has one.

If you see the following error,

gpg: keyserver receive failed: No data

then you can try a different key server, like this:

gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x680D16DE

That’s it!

I hope this tutorial helped you verify PGP signature of software downloads. As always, if you found this post useful, then subscribe to our free newsletter or follow us on Twitter or like our Facebook page.

Rate this tutorial
[Total: 25 Average: 4.7]

16 Responses to “How to Verify PGP Signature of Downloaded Software on Linux

  • fantom007
    3 years ago

    Thank you and well done play by play!

  • Bob Smith
    3 years ago

    Thank you!

  • I get the following error:
    [email protected]:~$ gpg –with-fingerprint VeraCrypt_PGP_public_key.asc

    gpg: WARNING: no command supplied.  Trying to guess what you mean ...
    pub   rsa4096 2014-06-27 [SCE]
    uid           VeraCrypt Team 
    

    I’m using Ubuntu 18.04.01 Live USB with persistence.

    • If you use GPG version 2.x (gpg --version), then use the --show-keys option to display the fingerprint.

      gpg --show-keys VeraCrypt_PGP_public_key.asc
  • In your tutorial, you used wget to download the detached keys for verification purposes. How did you know where to find them? I am trying to do this process for Apache Spark, but I can’t find the .asc file that the Apache Software Foundation says is supposed to be there. Thanks!

  • This is completely different from the instructions on the Tor website at https://support.torproject.org/tbb/how-to-verify-signature/

    • Sometimes you can do something in multiple ways.

      The overall process is the same, with some differences in the command line arguments.

  • Rodney Jackson
    5 months ago

    Where have I gone wrong.?

    [email protected]:~$ wget https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc
    --2021-05-14 14:02:12--  https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc
    Resolving www.idrix.fr (www.idrix.fr)... 51.210.181.103
    Connecting to www.idrix.fr (www.idrix.fr)|51.210.181.103|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 5434 (5.3K) [text/plain]
    Saving to: 'VeraCrypt_PGP_public_key.asc’
    
    VeraCrypt_PGP_publi 100%[===================>]   5.31K  --.-KB/s    in 0s      
    
    2021-05-14 14:02:15 (97.9 MB/s) - 'VeraCrypt_PGP_public_key.asc’ saved [5434/5434]
    
    [email protected]:~$ gpg --show-keys VeraCrypt_PGP_public_key.asc
    pub   rsa4096 2018-09-11 [SC]
          5069A233D55A0EEB174A5FC3821ACD02680D16DE
    uid                      VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) 
    sub   rsa4096 2018-09-11 [E]
    sub   rsa4096 2018-09-11 [A]
    
    [email protected]:~$ gpg --with-fingerprint VeraCrypt_PGP_public_key.asc
    gpg: WARNING: no command supplied.  Trying to guess what you mean ...
    pub   rsa4096 2018-09-11 [SC]
    uid           VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) 
    sub   rsa4096 2018-09-11 [E]
    sub   rsa4096 2018-09-11 [A]
    [email protected]:~$ gpg --import VeraCrypt_PGP_public_key.asc
    gpg: key 821ACD02680D16DE: 1 signature not checked due to a missing key
    gpg: key 821ACD02680D16DE: public key "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) " imported
    gpg: Total number processed: 1
    gpg:               imported: 1
    gpg: no ultimately trusted keys found
    [email protected]:~$ gpg --verify veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb.sig veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb
    gpg: can't open 'veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb.sig': No such file or directory
    gpg: verify signatures failed: No such file or directory
    [email protected]:~$ gpg --verify veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb.sig veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb
    gpg: can't open 'veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb.sig': No such file or directory
    gpg: verify signatures failed: No such file or directory
    [email protected]:~$ gpg --import VeraCrypt_PGP_public_key.asc
    gpg: key 821ACD02680D16DE: 1 signature not checked due to a missing key
    gpg: key 821ACD02680D16DE: "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) " not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1
    [email protected]:~$ gpg --verify veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb.sig veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb
    gpg: can't open 'veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb.sig': No such file or directory
    gpg: verify signatures failed: No such file or directory
    [email protected]:~$ gpg --recv-keys 
    bash: syntax error near unexpected token `newline'
    [email protected]:~$ gpg --recv-keys 
    bash: syntax error near unexpected token `newline'
    [email protected]:~$ gpg --fingerprint 
    bash: syntax error near unexpected token `newline'
    [email protected]:~$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 0x680D16DE
    gpg: key 821ACD02680D16DE: "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) " not changed
    gpg: Total number processed: 1
    gpg:              unchanged: 1
    [email protected]:~$ gpg --show-keys VeraCrypt_PGP_public_key.asc
    pub   rsa4096 2018-09-11 [SC]
          5069A233D55A0EEB174A5FC3821ACD02680D16DE
    uid                      VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) 
    sub   rsa4096 2018-09-11 [E]
    sub   rsa4096 2018-09-11 [A]
    
    [email protected]:~$ 
    
    
    • Copy and paste without thinking.

      You need to know

      1.) your current working directory, which can be shown with pwd command
      2.) which directory the signature file and software installer file are downloaded to.

    • Vedang Mulay
      3 months ago

      Also use the

      ls

      command to check the files in the current directory to make sure the file is there. Check to make sure the file isn’t misspelled. Usually you can copy and paste from the terminal window by doing CTRL+SHIFT+C and CTRL+SHIFT+V, so you don’t need to type manually.

  • eddy canuck
    3 months ago

    Ok – I am using gpg v2.2.4 under Zorin v15.3 (Ubuntu 18.04) and there is NO shows-keys Command, so it must be something different and in scanning the output of the Command I am at a loss to see which one it is.

    I reproduce here:
    ====================================

    Commands:
     
     -s, --sign                  make a signature
         --clear-sign            make a clear text signature
     -b, --detach-sign           make a detached signature
     -e, --encrypt               encrypt data
     -c, --symmetric             encryption only with symmetric cipher
     -d, --decrypt               decrypt data (default)
         --verify                verify a signature
     -k, --list-keys             list keys
         --list-signatures       list keys and signatures
         --check-signatures      list and check key signatures
         --fingerprint           list keys and fingerprints
     -K, --list-secret-keys      list secret keys
         --generate-key          generate a new key pair
         --quick-generate-key    quickly generate a new key pair
         --quick-add-uid         quickly add a new user-id
         --quick-revoke-uid      quickly revoke a user-id
         --quick-set-expire      quickly set a new expiration date
         --full-generate-key     full featured key pair generation
         --generate-revocation   generate a revocation certificate
         --delete-keys           remove keys from the public keyring
         --delete-secret-keys    remove keys from the secret keyring
         --quick-sign-key        quickly sign a key
         --quick-lsign-key       quickly sign a key locally
         --sign-key              sign a key
         --lsign-key             sign a key locally
         --edit-key              sign or edit a key
         --change-passphrase     change a passphrase
         --export                export keys
         --send-keys             export keys to a keyserver
         --receive-keys          import keys from a keyserver
         --search-keys           search for keys on a keyserver
         --refresh-keys          update all keys from a keyserver
         --import                import/merge keys
         --card-status           print the card status
         --edit-card             change data on a card
         --change-pin            change a card's PIN
         --update-trustdb        update the trust database
         --print-md              print message digests
         --server                run in server mode
         --tofu-policy VALUE     set the TOFU policy for a key
    
    Options:
     
     -a, --armor                 create ascii armored output
     -r, --recipient USER-ID     encrypt for USER-ID
     -u, --local-user USER-ID    use USER-ID to sign or decrypt
     -z N                        set compress level to N (0 disables)
         --textmode              use canonical text mode
     -o, --output FILE           write output to FILE
     -v, --verbose               verbose
     -n, --dry-run               do not make any changes
     -i, --interactive           prompt before overwriting
         --openpgp               use strict OpenPGP behavior
    
    (See the man page for a complete listing of all commands and options)
    
    Examples:
    
     -se -r Bob [file]          sign and encrypt for user Bob
     --clear-sign [file]        make a clear text signature
     --detach-sign [file]       make a detached signature
     --list-keys [names]        show keys
     --fingerprint [names]      show fingerprints
    
    Please report bugs to .

    =============================================

  • Vedang Mulay
    3 months ago

    Thanks Xiao, clearly explained. I will add that pgp key blocks can be verified by copying and pasting into the command line as well so don’t need to save to file.

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here