Skip to Content

Verify a PGP signature with GnuPG

Posted on

I setup GNU Privacy Guard (GnuPG or GPG) - a free software implementation of OpenPGP - and use the utility to verify the PGP signatures of files.

Let’s go!

Using a PGP private/public keypair to create a digital signature for a file certifies its integrity. A developer signs a package with their private key and the receiver verifies the signature with the public key. If the package has been modified or corrupted in transmission the verification will fail.

0. Install GnuPG

sudo apt install gnupg dirmngr
gpg --version
	gpg (GnuPG) 2.1.18
	libgcrypt 1.7.6-beta

First time invoking gpg --list-keys with an empty keyring generates a config directory in $HOME …

gpg --list-keys
    gpg: directory '/home/dwa/.gnupg' created

Default config files are ~/.gnupg/gpg.conf and ~/.gnupg/dirmngr.conf.

1. Keyserver

Many keys are stored on a keyserver. I choose the recommended sks keyserver pool. Download the CA and verify the certificate … 1

wget -P ~/.gnupg/
cd ~/.gnupg
openssl verify -trusted sks-keyservers.netCA.pem -check_ss_sig sks-keyservers.netCA.pem
    sks-keyservers.netCA.pem: OK
openssl x509 -in sks-keyservers.netCA.pem -noout -text | grep "X509v3 Subject Key Identifier" -A1 | tail -n1

… and compare with the key identifier recorded at

Add the keyserver and the CA to ~/.gnupg/dirmngr.conf

keyserver hkps://
hkp-cacert ~/.gnupg/sks-keyservers.netCA.pem

Link: OpenPGP Best Practices

2. Verify a PGP signature

Verifying authenticity of Debian installer images: “Cryptographically strong checksum algorithms (SHA256 and SHA512) are available for every release … To ensure that the checksums files themselves are correct, use GnuPG to verify them against the accompanying signature files.”

Example: Download the (unofficial with firmware) minimal network installer and the signed checksum files …


Display the signing key …

gpg --verify SHA512SUMS.sign SHA512SUMS
    gpg: Signature made Sun 07 May 2017 02:28:21 PM EDT
    gpg:                using RSA key DA87E80D6294BE9B
    gpg: Can't check signature: No public key

Show details of the key on the keyserver …

gpg --search-keys DA87E80D6294BE9B
    gpg: data source:
    (1) Debian CD signing key <>
      4096 bit RSA key DA87E80D6294BE9B, created: 2011-01-05
      Keys 1-1 of 1 for "DA87E80D6294BE9B".  Enter number(s), N)ext, or Q)uit > n

Import the key from the keyserver ...

gpg --recv-keys DA87E80D6294BE9B
    gpg: key DA87E80D6294BE9B: public key "Debian CD signing key <>" imported
    gpg: no ultimately trusted keys found
    gpg: Total number processed: 1
    gpg:               imported: 1

Display the keyring containing our new key …

gpg --list-keys
    pub   rsa4096 2011-01-05 [SC]
        uid           [ unknown] Debian CD signing key <>
        sub   rsa4096 2011-01-05 [E]

After importing the signing key …

gpg --verify SHA512SUMS.sign SHA512SUMS
    gpg: Signature made Sun 07 May 2017 02:28:21 PM EDT
    gpg:                using RSA key DA87E80D6294BE9B
    gpg: Good signature from "Debian CD signing key <>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

The warning about key is not certified with a trusted signature means GnuPG verified the key matches the signature but cannot guarantee the key really belongs to the developer. It is up to me to decide how much confidence to place in the authenticity of the key.

For this Debian-provided signature file I compare the Primary key fingerprint line to the key fingerprints recorded on the Debian website. Looks good! 2

3. Verify file integrity

sha512sum --ignore-missing --check SHA512SUMS
    firmware-9.0.0-amd64-netinst.iso: OK

Happy hacking!