- Categories
- Computers and Electronics
- Internet
- Internet Security
Download Article
Explore this Article
methods
2Windows
Other Sections
Video
Related Articles
References
Article Summary
Written byNicole Levine, MFA
Last Updated: August 5, 2024Fact Checked
Download Article
This wikiHow teaches you how to verify the PGP signature of a downloaded file. You should always verify the PGP signature of a signed file to make sure the version you downloaded is official. To verify the signature, you'll need the publisher's public key, the software's signature file, and GnuPG. GnuPG is preinstalled in all Linux distributions, but you'll need to install it if you're using Windows or macOS.
Method 1
Method 1 of 2:
Linux & macOS
Download Article
1
Install GPG if you're using a Mac. If you're using a Linux installation outside of macOS, you can skip this step. macOS users should first install Homebrew, and then use it to install the GnuPG software package:
- Open Terminal, which you'll find in Applications > Utilities.
- Type /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" and press Return.[1]
- Follow the on-screen instructions to install Homebrew.
- Once Homebrew is installed, type brew install gnupg and press Return.[2]
2
Download the PGP signature file. This is the file that ends with .sig. Be sure to save the signature file to the same directory as the file you want to check.
- An easy way to do this is from the command prompt is to cd into the appropriate directory and download the file using wget https://path/to/signaturefile.sig.
Advertisem*nt
3
Download the signer's public key. You can usually download this from the signer's website or by saving an email attachment to your computer. The public key file usually ends with .asc.
- As with downloading the signature file, you can use wget to download the public key.
- If you have the key ID but not a path to download the file, use this command to get the key: gpg --recv-keys KEYID. If you receive the key this way, skip step 4 and go directly to step 5.
4
Import the public key into your public keyring. You can do this with the following command in a terminal window:
- gpg --import PUBLICKEY.
- Replace PUBLICKEY with the actual file name.[3]
5
Verify the signature. Now that all of the files are in their correct locations, you can verify the signature with the following command:
- gpg --verify SIGNATURE.SIG FILE.
- Replace SIGNATURE.SIG with the signature file name, and FILE with the name of the file you want to verify.
- If the output says "Good Signature," you've successfully verified the key. If the signature is bad, you'll know the file is broken or has been edited since the signing.
Advertisem*nt
Method 2
Method 2 of 2:
Windows
Download Article
1
Install Gpg4win. You can get the application from https://www.gpg4win.org/download.html. During the installation, you'll see a list of apps that will be installed—just keep the default options selected.
- The default installation location is C:\Program Files (x86)\Gnu\GnuPg\gpg.exe. When you run the command required to verify the signature, you'll need to enter the full path to the gpg.exe file. If you choose a different install location, make sure you remember the full path.[4]
2
Download the PGP signature. This is the file that ends with .sig. You'll need to save the file to the same directory as the file you want to verify.
3
Download the signer's public key. You can usually download this from the signer's website or by saving an email attachment to your computer. The public key file usually ends with .asc. This should also be saved to the same folder.
4
Open the Windows File Explorer. It's the folder icon on the taskbar. You can also open it by pressing the Windows key + E.[5]
5
Open the folder containing the signature and file you want to check. If you don't see a navigation pane in the left panel of File explorer, click the View menu at the top and select Navigation pane and then Navigation pane again to bring it up. This makes it easier to find what you're looking for.
6
Press ⇧ Shift as you right-click inside the folder. A menu will expand.
7
Click Open Command Prompt here. If you don't see that option, select Open PowerShell window here.
8
Import the public key file into your keychain. Here's how:
- Type C:\Program Files (x86)\Gnu\GnuPg\gpg.exe --import PUBLICKEY and press Enter. Replace PUBLICKEY with the actual file name.
- If you don't have a file containing the public key, but you do have a key ID, use this command instead: C:\Program Files (x86)\Gnu\GnuPg\gpg.exe --recv-keys KEYID.
9
Check the signature. Now that the files are ready, here's how to verify the signature:[6]
- C:\Program Files (x86)\Gnu\GnuPg\gpg.exe --verify SIGNATURE.SIG FILE.
- Replace SIGNATURE.SIG with the signature file name, and FILE with the name of the file you want to verify.
- If the output says "Good Signature," you've successfully verified the key. If the signature is bad, you'll know the file is broken or has been edited since the signing.
Advertisem*nt
Community Q&A
Search
Question
What is an open source software that can do the same thing? Some of us have special security circ*mstances.
Radj307
Community Answer
GPG (GNU Privacy Guard), as part of the GNU movement, is open-source software.
Thanks! We're glad this was helpful.
Thank you for your feedback.
If wikiHow has helped you, please consider a small contribution to support us in helping more readers like you. We’re committed to providing the world with free how-to resources, and even $1 helps us in our mission.Support wikiHowYesNo
Not Helpful 2Helpful 6
Ask a Question
200 characters left
Include your email address to get a message when this question is answered.
Advertisem*nt
Video
Tips
Submit a Tip
All tip submissions are carefully reviewed before being published
Name
Please provide your name and last initial
Submit
Thanks for submitting a tip for review!
You Might Also Like
Advertisem*nt
References
- ↑ https://brew.sh/
- ↑ https://formulae.brew.sh/formula/gnupg
- ↑ https://www.linuxbabe.com/security/verify-pgp-signature-software-downloads-linux
- ↑ https://www.openoffice.org/download/checksums.html#pgp_win
- ↑ https://support.microsoft.com/en-us/windows/find-and-open-file-explorer-ef370130-1cca-9dc5-e0df-2f7416fe1cb1
- ↑ https://chasingcode.dev/blog/verify-pgp-signature-windows-10/
About This Article
Written by:
Nicole Levine, MFA
wikiHow Technology Writer
This article was co-authored by wikiHow staff writer, Nicole Levine, MFA. Nicole Levine is a Technology Writer and Editor for wikiHow. She has more than 20 years of experience creating technical documentation and leading support teams at major web hosting and software companies. Nicole also holds an MFA in Creative Writing from Portland State University and teaches composition, fiction-writing, and zine-making at various institutions. This article has been viewed 269,188 times.
How helpful is this?
Co-authors: 19
Updated: August 5, 2024
Views:269,188
Categories: Internet Security
Article SummaryX
1.Install GnuPG if you're using a Mac, or GPG4win if you're using Windows.
2.Download the PGP signature file to the same directory as the file you're checking.
3.Download the signer's public key to the same location.
4.Import the key into your public keyring.
5.Use gpg --verify to verify the signature.
Did this summary help you?
- Send fan mail to authors
Thanks to all authors for creating a page that has been read 269,188 times.
Is this article up to date?
Advertisem*nt