7.15. Checking a Signature
Problem
You want to verify that a GnuPG-signed file has not been altered.
Solution
To check a signed file, myfile:
$ gpg --verify myfile
To check myfile against a detached signature in myfile.sig: [Recipe 7.14]
$ gpg --verify myfile.sig myfile
Decrypting a signed file [Recipe 7.5] also checks its signature, e.g.:
$ gpg myfile
Discussion
When GnuPG detects a signature, it lets you know:
gpg: Signature made Wed 15 May 2002 10:19:20 PM EDT using DSA key ID 00F5B71F
If the signed file has not been altered, you’ll see a result like:
gpg: Good signature from "Shawn Smith <smith@example.com>"
Otherwise:
gpg: BAD signature from "Shawn Smith <smith@example.com>"
indicates that the file is not to be trusted.
If you don’t have the public key needed to check the signature, contact the key owner or check keyservers [Recipe 7.21] to obtain it, then import it. [Recipe 7.10]
See Also
gpg(1).
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.