This how-to explains a clear and step-by-step, 1-minute process to verify that a file in your possession was digitally signed by a particular GPG Secret Key and has been unmodified since the time of signing.
Downloading What You Need
Acquire the Public Key.
- Import the Public Key into GPG.
Acquire a copy of the file in question.
Acquire a copy of the signature-file in question.
- Save it in the same Folder.
Using GPG to Verify that someone’s Secret Key Signed the File in Question
Open a command-line interface.
- Change the working directory to the Folder where your file and signature-file are saved.
Verify the signature.
- Type the following command into a command-line interface:
- gpg –verify [signature-file] [file]
- E.g., if you have acquired
- (1) the Public Key 0x416F061063FEE659,
- (2) the Tor Browser Bundle file (tor-browser.tar.gz), and
- (3) the signature-file posted alongside the Tor Browser Bundle file (tor-browser.tar.gz.asc),
- You would type the following:
- gpg –verify tor-browser.tar.gz.asc tor-browser.tar.gz