How to Verify a GPG Signature

This how-to explains a clear and step-by-step, 1-minute process to verify that a file in your possession was digitally signed by a particular GPG Secret Key and has been unmodified since the time of signing.

Downloading What You Need

Acquire the Public Key.

  • Import the Public Key into GPG.

Acquire a copy of the file in question.

  • Save it in a Folder.

Acquire a copy of the signature-file in question.

  • Save it in the same Folder.

Using GPG to Verify that someone’s Secret Key Signed the File in Question

Open a command-line interface.

  • Change the working directory to the Folder where your file and signature-file are saved.

Verify the signature.

  • Type the following command into a command-line interface:
  • gpg –verify [signature-file] [file]
  • E.g., if you have acquired
  • (1) the Public Key 0x416F061063FEE659,
  • (2) the Tor Browser Bundle file (tor-browser.tar.gz), and
  • (3) the signature-file posted alongside the Tor Browser Bundle file (tor-browser.tar.gz.asc),
  • You would type the following:
  • gpg –verify tor-browser.tar.gz.asc tor-browser.tar.gz

Leave a Comment