How to Verify PGP Signature of Downloaded Software on Linux

PGP, which stands for Pretty Good Privacy, is a public key cryptography software. PGP can be used to encrypt and sign data communication. In this tutorial, we will look at how to verify PGP signature of downloaded software.

Linux users can securely install software from their distribution’s repositories. But there are also times when you need to download and install software from website. How can you be sure that the software you downloaded wasn’t tampered with?

Some software authors sign their software using a PGP program such as GPG, which is a free software implementation of the openPGP standard. In that case, you can verify the integrity of software using GPG.

The process is relatively simple:

  1. You download the public key of the software author.
  2. Check the public key’s fingerprint to ensure that it’s the correct key.
  3. Import the correct public key to your GPG public keyring.
  4. Download the software’s signature file.
  5. Use public key to verify PGP signature. If the signature is correct, then the software wasn’t tampered with.

We will use VeraCrypt as an example to show you how to verify PGP signature of downloaded software.

Example: Verify PGP Signature of VeraCrypt

Although VeraCrypt is open source software, it isn’t included in Ubuntu or other Linux distribution’s repository. We can download VeraCrypt Linux installer from official website.

VeraCrypt verify gpg signature

Alternatively you can download VeraCrypt installer in terminal using the command below.

wget https://launchpadlibrarian.net/289850375/veracrypt-1.19-setup.tar.bz2

On the VeraCrypt download page, you can also find PGP public key and PGP signature download link. Download these two files. Alternatively, you can download them in terminal using the command below.

PGP public key

wget https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc

PGP signature file

wget https://launchpad.net/veracrypt/trunk/1.19/+download/veracrypt-1.19-setup.tar.bz2.sig

Before you do anything with the public key, you must always check the key’s fingerprint to see if it’s the correct key. Display the fingerprint of the key using the command below.

gpg --with-fingerprint VeraCrypt_PGP_public_key.asc

The second line of the output is the key’s fingerprint.

pgp public key fingerprint

Compare it with the fingerprint published on VeraCrypt website.

veracrypt public key fingerprint

As you can see, the two fingerprints are identical, which means the public key is correct. So you can import the public key to your public keyring with:

gpg --import VeraCrypt_PGP_public_key.asc

gpg import public key

Now verify the signature using the command below. You need to specify the signature file and the software installer, the names of which are usually identical, only with different file extension. This is a detached signature, meaning that the signature and software are separate from each other.

gpg --verify veracrypt-1.19-setup.tar.bz2.sig veracrypt-1.19-setup.tar.bz2

The output should say “Good Signature”.

verify pgp signature

The signature is a hash value, encrypted with the software author’s private key. GPG uses the public key to decrypt hash value, then calculate the hash value of VeraCrypt installer and compare the two. If these two hash values match, then the signature is good and the software wasn’t tampered with.

If GPG tells you it’s a bad signature, then the software installer was tampered with or corrupted.

Importing Public Key from a Trusted Source

Note that if the software author tells you his/her public key ID on the website, then you can import the public key with:

gpg --recv-keys <key-ID>

Then display the fingerprint with:

gpg --fingerprint <key-ID>

And compare the fingerprint from output with that published on website. This is more secure because the public key is imported from a public key server, which by default is set to hkp://keys.gnupg.net in ~/.gnupg/gpg.conf file. Since all of the major keyservers communicate with each other and synchronize keys, so you don’t need to change the default.

That’s it!

I hope this tutorial helped you verify PGP signature of software downloads. As always, if you found this post useful, then subscribe to our free newsletter or follow us on Google+, Twitter or like our Facebook page.

Rate this tutorial
[Total: 3 Average: 3.7]