PDF download Download Article PDF download Download Article

This wikiHow teaches you how to verify the PGP signature of a downloaded file. You should always verify the PGP signature of a signed file to make sure the version you downloaded is official. To verify the signature, you'll need the publisher's public key, the software's signature file, and GnuPG. GnuPG is preinstalled in all Linux distributions, but you'll need to install it if you're using Windows or macOS.

Method 1
Method 1 of 2:

Linux & macOS

PDF download Download Article
  1. If you're using a Linux installation outside of macOS, you can skip this step. macOS users should first install Homebrew, and then use it to install the GnuPG software package:
  2. This is the file that ends with .sig. Be sure to save the signature file to the same directory as the file you want to check.
    • An easy way to do this is from the command prompt is to cd into the appropriate directory and download the file using wget https://path/to/signaturefile.sig.
    Advertisement
  3. You can usually download this from the signer's website or by saving an email attachment to your computer. The public key file usually ends with .asc.
    • As with downloading the signature file, you can use wget to download the public key.
    • If you have the key ID but not a path to download the file, use this command to get the key: gpg --recv-keys KEYID. If you receive the key this way, skip step 4 and go directly to step 5.
  4. You can do this with the following command in a terminal window:
    • gpg --import PUBLICKEY.
    • Replace PUBLICKEY with the actual file name.[3]
  5. Now that all of the files are in their correct locations, you can verify the signature with the following command:
    • gpg --verify SIGNATURE.SIG FILE.
    • Replace SIGNATURE.SIG with the signature file name, and FILE with the name of the file you want to verify.
    • If the output says "Good Signature," you've successfully verified the key. If the signature is bad, you'll know the file is broken or has been edited since the signing.
  6. Advertisement
Method 2
Method 2 of 2:

Windows

PDF download Download Article
  1. You can get the application from https://www.gpg4win.org/download.html. During the installation, you'll see a list of apps that will be installed—just keep the default options selected.
    • The default installation location is C:\Program Files (x86)\Gnu\GnuPg\gpg.exe. When you run the command required to verify the signature, you'll need to enter the full path to the gpg.exe file. If you choose a different install location, make sure you remember the full path.[4]
  2. This is the file that ends with .sig. You'll need to save the file to the same directory as the file you want to verify.
  3. You can usually download this from the signer's website or by saving an email attachment to your computer. The public key file usually ends with .asc. This should also be saved to the same folder.
  4. It's the folder icon on the taskbar. You can also open it by pressing the Windows key + E.[5]
  5. If you don't see a navigation pane in the left panel of File explorer, click the View menu at the top and select Navigation pane and then Navigation pane again to bring it up. This makes it easier to find what you're looking for.
  6. A menu will expand.
  7. If you don't see that option, select Open PowerShell window here.
  8. Here's how:
    • Type C:\Program Files (x86)\Gnu\GnuPg\gpg.exe --import PUBLICKEY and press Enter. Replace PUBLICKEY with the actual file name.
    • If you don't have a file containing the public key, but you do have a key ID, use this command instead: C:\Program Files (x86)\Gnu\GnuPg\gpg.exe --recv-keys KEYID.
  9. Now that the files are ready, here's how to verify the signature:[6]
    • C:\Program Files (x86)\Gnu\GnuPg\gpg.exe --verify SIGNATURE.SIG FILE.
    • Replace SIGNATURE.SIG with the signature file name, and FILE with the name of the file you want to verify.
    • If the output says "Good Signature," you've successfully verified the key. If the signature is bad, you'll know the file is broken or has been edited since the signing.
  10. Advertisement

Community Q&A

Search
Add New Question
  • Question
    What is an open source software that can do the same thing? Some of us have special security circumstances.
    Radj307
    Radj307
    Community Answer
    GPG (GNU Privacy Guard), as part of the GNU movement, is open-source software.
Ask a Question
200 characters left
Include your email address to get a message when this question is answered.
Submit
Advertisement

Video

Tips

Submit a Tip
All tip submissions are carefully reviewed before being published
Name
Please provide your name and last initial
Thanks for submitting a tip for review!

You Might Also Like

Break WEP EncryptionBreak WEP Encryption
Password Protect an Excel Spreadsheet Password Protect a Microsoft Excel Spreadsheet
Secure Your Wireless Home NetworkSecure Your Wireless Home Network
Be Safe on the InternetBe Safe on the Internet
Clear Your Browser's CookiesClear Your Browser's Cookies
Access Blocked WebsitesAccess Blocked Websites
Disable Cookies Block Cookies in Chrome, Safari, & More
Get Rid of Mcafee Pop UpsEnd McAfee Pop-Up Notifications on Windows and macOS
View Cookies4 Simple Ways to View Cookies in a Web Browser
Delete Tracking CookiesDelete Tracking Cookies
Block a Program with Windows FirewallBlock a Program from Accessing the Internet with Windows Firewall
Install an SSL Certificate Install an SSL Certificate on a Server
Block Porn on Android4 Ways to Block Porn on Android from Websites and Apps
Be Online Anonymously Be Anonymous Online: 15 Privacy-Boosting Tricks
Advertisement

About This Article

Nicole Levine, MFA
Written by:
wikiHow Technology Writer
This article was co-authored by wikiHow staff writer, Nicole Levine, MFA. Nicole Levine is a Technology Writer and Editor for wikiHow. She has more than 20 years of experience creating technical documentation and leading support teams at major web hosting and software companies. Nicole also holds an MFA in Creative Writing from Portland State University and teaches composition, fiction-writing, and zine-making at various institutions. This article has been viewed 277,081 times.
How helpful is this?
Co-authors: 19
Updated: August 5, 2024
Views: 277,081
Categories: Internet Security
Article SummaryX

1. Install GnuPG if you're using a Mac, or GPG4win if you're using Windows.
2. Download the PGP signature file to the same directory as the file you're checking.
3. Download the signer's public key to the same location.
4. Import the key into your public keyring.
5. Use gpg --verify to verify the signature.

Did this summary help you?

Thanks to all authors for creating a page that has been read 277,081 times.

Is this article up to date?

Advertisement