verify pgp signagure in linux

How to Verify PGP Signature of Downloaded Software in Linux

Typically, most software packages are included in your Linux distribution’s repository and you can easily install them using apt, dnf, dpkg and other commands. But if your desired software is not present in any of the repositories then you will need to download its installation package directly from the vendor’s website. In such cases, you will need to ensure that the downloaded package was not tampered with or corrupted. For this purpose, the software creators encrypt and sign their packages with PGP (Pretty Good Privacy) signature. After you download such a package, you need to verify its PGP signature to ensure that the package is uncorrupted and untampered. In this article, we will look at how to verify PGP signature of downloaded software in Linux.

How to Verify PGP Signature of Downloaded Software in Linux

Here are the steps to verify PGP Signature of Downloaded Software in Linux. We will use gpg application to verify PGP signature for our example. It is already installed in most Linux distributions, by default. In this case, we will verify PGP signature of Tixati tool.

1. Download Public Key

You can easily download the PGP key of your desired software from its downloads page. In this case, you will find PGP keys for Tixati on its downloads page.

You can directly click and download its public key, or open terminal and run the following command.

$ sudo wget

Please note, the public key may have either .key or .asc extension.

2. Verify Public Key

Next, we use gpg command to check the download public key’s fingerprint.

$ sudo gpg --show-keys tixati.key

If you are using a very old version of gpg, you may need to use the following command instead.

$ sudo gpg --with-fingerprint tixati.key

The highlighted alphanumeric string is the public key of your software.

3. Import Public Key

Next you need to import public key with the following command.

$ sudo gpg --import tixati.key

4. Download Signature File

Next, you need to download signature file of your software package.

$ sudo wget

You may also download the signature file by clicking on its link in the downloads page.

5. Verify Downloaded Signature

Run the following command to verify downloaded signature.

$ sudo gpg --verify tixati_2.84-1_amd64.deb.asc tixati_2.84-1_amd64.deb

The output of the above command will contain ‘Good Signature from …’ which confirms that the signature is properly verified. You can also see the two fingerprints actually match.

That’s it. We have verified PGP signature for our software. The key is to download that software’s public key and signature, import public key and use it to verify the downloaded signature.

Also read:

How to Convert RPM to DEB in Linux
How to Install .deb file in Linux
How to Provide Sudo Access to User in Linux
How to Kill Process Running on Specific Port in Linux
Sed Command to Delete Lines in Linux

Leave a Reply

Your email address will not be published. Required fields are marked *