How to Verify PGP Signature of Downloaded Software on Linux
PGP, which stands for Pretty Good Privacy, is a public key cryptography software. PGP can be used to encrypt and sign data communication. In this tutorial, we will look at how to verify PGP signature of downloaded software.
Linux users can securely install software from their distribution’s repositories. But there are also times when you need to download and install software from website. How can you be sure that the software you downloaded wasn’t tampered with?
Some software authors sign their software using a PGP program such as GPG, which is a free software implementation of the openPGP standard. In that case, you can verify the integrity of software using GPG.
The process is relatively simple:
- You download the public key of the software author.
- Check the public key’s fingerprint to ensure that it’s the correct key.
- Import the correct public key to your GPG public keyring.
- Download the software’s signature file.
- Use public key to verify PGP signature. If the signature is correct, then the software wasn’t tampered with.
We will use VeraCrypt as an example to show you how to verify PGP signature of downloaded software.
Example: Verify PGP Signature of VeraCrypt
Although VeraCrypt is open source software, it isn’t included in Ubuntu or other Linux distribution’s repository. We can download VeraCrypt Linux installer from official website.
Alternatively you can download VeraCrypt installer in terminal using the command below.
On the VeraCrypt download page, you can also find PGP public key and PGP signature download link. Download these two files. Alternatively, you can download them in terminal using the command below.
PGP public key
PGP signature file
Before you do anything with the public key, you must always check the key’s fingerprint to see if it’s the correct key. Display the fingerprint of the key using the command below.
gpg --with-fingerprint VeraCrypt_PGP_public_key.asc
The second line of the output is the key’s fingerprint.
Compare it with the fingerprint published on VeraCrypt website.
As you can see, the two fingerprints are identical, which means the public key is correct. So you can import the public key to your public keyring with:
gpg --import VeraCrypt_PGP_public_key.asc
Now verify the signature using the command below. You need to specify the signature file and the software installer, the names of which are usually identical, only with different file extension. This is a detached signature, meaning that the signature and software are separate from each other.
gpg --verify veracrypt-1.19-setup.tar.bz2.sig veracrypt-1.19-setup.tar.bz2
The output should say “Good Signature”.
The signature is a hash value, encrypted with the software author’s private key. GPG uses the public key to decrypt hash value, then calculate the hash value of VeraCrypt installer and compare the two. If these two hash values match, then the signature is good and the software wasn’t tampered with.
If GPG tells you it’s a bad signature, then the software installer was tampered with or corrupted.
Importing Public Key from a Trusted Source
Note that if the software author tells you his/her public key ID on the website, then you can import the public key with:
gpg --recv-keys <key-ID>
Then display the fingerprint with:
gpg --fingerprint <key-ID>
And compare the fingerprint from output with that published on website. This is more secure because the public key is imported from a public key server, which by default is set to
~/.gnupg/gpg.conf file. Since all of the major keyservers communicate with each other and synchronize keys, so you don’t need to change the default.
I hope this tutorial helped you verify PGP signature of software downloads. As always, if you found this post useful, then subscribe to our free newsletter or follow us on Google+, Twitter or like our Facebook page.