How to Verify PGP Signature of Downloaded Software on Linux

PGP, which stands for Pretty Good Privacy, is a public key cryptography software. PGP can be used to encrypt and sign data communication. In this tutorial, we will look at how to verify PGP signature of downloaded software.

Linux users can securely install software from their distribution’s repositories. But there are also times when you need to download and install software from website. How can you be sure that the software you downloaded wasn’t tampered with?

Some software authors sign their software using a PGP program such as GPG, which is a free software implementation of the openPGP standard. In that case, you can verify the integrity of software using GPG.

The process is relatively simple:

  1. You download the public key of the software author.
  2. Check the public key’s fingerprint to ensure that it’s the correct key.
  3. Import the correct public key to your GPG public keyring.
  4. Download the software’s signature file.
  5. Use public key to verify PGP signature. If the signature is correct, then the software wasn’t tampered with.

We will use VeraCrypt as an example to show you how to verify PGP signature of downloaded software.

Example: Verify PGP Signature of VeraCrypt

Although VeraCrypt is open source software, it isn’t included in Ubuntu or other Linux distribution’s repository. We can download VeraCrypt Linux installer from official website.

VeraCrypt verify gpg signature

Alternatively you can download VeraCrypt installer in terminal using the command below.

wget https://launchpadlibrarian.net/289850375/veracrypt-1.19-setup.tar.bz2

On the VeraCrypt download page, you can also find PGP public key and PGP signature download link. Download these two files. Alternatively, you can download them in terminal using the command below.

PGP public key

wget https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc

PGP signature file

wget https://launchpad.net/veracrypt/trunk/1.19/+download/veracrypt-1.19-setup.tar.bz2.sig

Before you do anything with the public key, you must always check the key’s fingerprint to see if it’s the correct key. Display the fingerprint of the key using the command below.

gpg --with-fingerprint VeraCrypt_PGP_public_key.asc

The second line of the output is the key’s fingerprint.

pgp public key fingerprint

Compare it with the fingerprint published on VeraCrypt website.

veracrypt public key fingerprint

As you can see, the two fingerprints are identical, which means the public key is correct. So you can import the public key to your public keyring with:

gpg --import VeraCrypt_PGP_public_key.asc

gpg import public key

Now verify the signature using the command below. You need to specify the signature file and the software installer, the names of which are usually identical, only with different file extension. This is a detached signature, meaning that the signature and software are separate from each other.

gpg --verify veracrypt-1.19-setup.tar.bz2.sig veracrypt-1.19-setup.tar.bz2

The output should say “Good Signature”.

verify pgp signature

The signature is a hash value, encrypted with the software author’s private key. GPG uses the public key to decrypt hash value, then calculate the hash value of VeraCrypt installer and compare the two. If these two hash values match, then the signature is good and the software wasn’t tampered with.

If GPG tells you it’s a bad signature, then the software installer was tampered with or corrupted.

Importing Public Key from a Trusted Source

Note that if the software author tells you his/her public key ID on the website, then you can import the public key with:

gpg --recv-keys <key-ID>

Then display the fingerprint with:

gpg --fingerprint <key-ID>

And compare the fingerprint from output with that published on website. This is more secure because the public key is imported from a public key server, which by default is set to hkp://keys.gnupg.net in ~/.gnupg/gpg.conf file. Since all of the major keyservers communicate with each other and synchronize keys, so you don’t need to change the default.

That’s it!

I hope this tutorial helped you verify PGP signature of software downloads. As always, if you found this post useful, then subscribe to our free newsletter or follow us on Google+, Twitter or like our Facebook page.

Rate this tutorial
[Total: 11 Average: 3.7]

5 Responses to “How to Verify PGP Signature of Downloaded Software on Linux

  • fantom007
    4 months ago

    Thank you and well done play by play!

  • Bob Smith
    4 months ago

    Thank you!

  • I get the following error:
    [email protected]:~$ gpg –with-fingerprint VeraCrypt_PGP_public_key.asc
    gpg: WARNING: no command supplied. Trying to guess what you mean …
    pub rsa4096 2014-06-27 [SCE]
    uid VeraCrypt Team

    I’m using Ubuntu 18.04.01 Live USB with persistence.

    I also tried -fingerprint and I see the same number as on the website; however, the ID is not listed.

    [email protected]:~$ gpg -fingerprint VeraCrypt_PGP_public_key.asc
    gpg: WARNING: no command supplied. Trying to guess what you mean …
    pub rsa4096 2014-06-27 [SCE]
    993B7D7E8E413809828F0F29EB559C7C54DDD393
    uid VeraCrypt Team

    Then I imported it.

    [email protected]:~$ gpg –import VeraCrypt_PGP_public_key.asc
    gpg: key EB559C7C54DDD393: public key “VeraCrypt Team ” imported
    gpg: Total number processed: 1
    gpg: imported: 1

    Note the different value for key as EB559C7C54DDD393. Is this expected?

    I removed the key and used recv-keys to get the public key using the ID provided on veracrypt’s website.

    [email protected]:~/Desktop/pgptest$ gpg –recv-keys 0x54DDD393
    gpg: key EB559C7C54DDD393: 240 signatures not checked due to missing keys
    gpg: key EB559C7C54DDD393: public key “VeraCrypt Team ” imported
    gpg: no ultimately trusted keys found
    gpg: Total number processed: 1
    gpg: imported: 1

    [email protected]:~/Desktop/pgptest$ gpg –verify veracrypt-1.22-setup.tar.bz2.sig veracrypt-1.22-setup.tar.bz2
    gpg: Signature made Fri Mar 30 13:58:31 2018 UTC
    gpg: using RSA key 993B7D7E8E413809828F0F29EB559C7C54DDD393
    gpg: Good signature from “VeraCrypt Team ” [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 993B 7D7E 8E41 3809 828F 0F29 EB55 9C7C 54DD D393

    Is the different output due to different versions of gpg/linux we are using? Did I do this correctly and can I trust that the software I have downloaded is not corrupt?

  • The way to get fingerprint was changed due to more restrictions in later linux versions.
    Now following can be used (but needs manual check or some scripts afterwards):

    cat ./VeraCrypt_PGP_public_key.asc | gpg --with-colons --import-options import-show --dry-run --import
    

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • * Some of my previous answers are lost after I uninstalled Disqus comment system from my website. I try to recover those answers whenever I can.