Typically, most software packages are included in your Linux distribution’s repository and you can easily install them using apt, dnf, dpkg and other commands. But if your desired software is not present in any of the repositories then you will need to download its installation package directly from the vendor’s website. In such cases, you will need to ensure that the downloaded package was not tampered with or corrupted. For this purpose, the software creators encrypt and sign their packages with PGP (Pretty Good Privacy) signature. After you download such a package, you need to verify its PGP signature to ensure that the package is uncorrupted and untampered. In this article, we will look at how to verify PGP signature of downloaded software in Linux.
How to Verify PGP Signature of Downloaded Software in Linux
Here are the steps to verify PGP Signature of Downloaded Software in Linux. We will use gpg application to verify PGP signature for our example. It is already installed in most Linux distributions, by default. In this case, we will verify PGP signature of Tixati tool.
1. Download Public Key
You can easily download the PGP key of your desired software from its downloads page. In this case, you will find PGP keys for Tixati on its downloads page.
You can directly click and download its public key, or open terminal and run the following command.
$ sudo wget https://www.tixati.com/tixati.key
Please note, the public key may have either .key or .asc extension.
2. Verify Public Key
Next, we use gpg command to check the download public key’s fingerprint.
$ sudo gpg --show-keys tixati.key
If you are using a very old version of gpg, you may need to use the following command instead.
$ sudo gpg --with-fingerprint tixati.key
The highlighted alphanumeric string is the public key of your software.
3. Import Public Key
Next you need to import public key with the following command.
$ sudo gpg --import tixati.key
4. Download Signature File
Next, you need to download signature file of your software package.
$ sudo wget https://download2.tixati.com/download/tixati_2.84-1_amd64.deb.asc
You may also download the signature file by clicking on its link in the downloads page.
5. Verify Downloaded Signature
Run the following command to verify downloaded signature.
$ sudo gpg --verify tixati_2.84-1_amd64.deb.asc tixati_2.84-1_amd64.deb
The output of the above command will contain ‘Good Signature from …’ which confirms that the signature is properly verified. You can also see the two fingerprints actually match.
That’s it. We have verified PGP signature for our software. The key is to download that software’s public key and signature, import public key and use it to verify the downloaded signature.