June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
7.15. Checking a Signature
Problem
You want to verify that a GnuPG-signed file has not been altered.
Solution
To check a signed file, myfile:
$ gpg --verify myfile
To check myfile against a detached signature in myfile.sig: [Recipe 7.14]
$ gpg --verify myfile.sig myfile
Decrypting a signed file [Recipe 7.5] also checks its signature, e.g.:
$ gpg myfile
Discussion
When GnuPG detects a signature, it lets you know:
gpg: Signature made Wed 15 May 2002 10:19:20 PM EDT using DSA key ID 00F5B71F
If the signed file has not been altered, you’ll see a result like:
gpg: Good signature from "Shawn Smith <smith@example.com>"
Otherwise:
gpg: BAD signature from "Shawn Smith <smith@example.com>"
indicates that the file is not to be trusted.
If you don’t have the public key needed to check the signature, contact the key owner or check keyservers [Recipe 7.21] to obtain it, then import it. [Recipe 7.10]
See Also
gpg(1).