Then you can try a different key server, like this: gpg -keyserver hkps:// -recv-keys 0圆80D16DE If you see the following error, gpg: keyserver receive failed: No data There’re hundreds of public keyservers around the world. This is more secure because the public key is imported from a public key server, which by default is set to hkp:// in ~/.gnupg/gpg.conf file. Then display the fingerprint with: gpg -fingerprint Īnd compare the fingerprint from output with the one published on website. Note that if the software author tells you his/her public key ID on the website, then you can import the public key with the following command, so you don’t have to manually download the PGP public key and import it to your keyring. Importing Public Key from a Trusted Source If GPG tells you it’s a bad signature, then the software installer was tampered with or corrupted. If these two hash values match, then the signature is good and the software wasn’t tampered with.GPG calculates the hash value of VeraCrypt installer and compare the two.GPG uses the public key to decrypt hash value.The signature is a hash value, encrypted with the software author’s private key.This is a detached signature, meaning that the signature and software are in separate files. You need to specify the signature file (. Now verify the signature of the software installer file using the command below. So you can import the public key to your GPG public keyring with: gpg -import VeraCrypt_PGP_public_key.asc ![]() gpg -with-fingerprint VeraCrypt_PGP_public_key.ascĬompare it with the fingerprint published on VeraCrypt website.Īs you can see, the two fingerprints are identical, which means the public key is correct. If you are using a very old version of GPG ( gpg -version) like 1.4.20, then use the following command to display the fingerprint. The second line of the output is the key’s fingerprint. gpg -show-keys VeraCrypt_PGP_public_key.asc Display the fingerprint of the key using the command below. wget īefore you do anything with the public key, you must always check the key’s fingerprint to see if it’s the correct key. You can run the following command to download PGP public key of VeraCrypt. Click the links to download these two files. ![]() On the VeraCrypt download page, you can also find the PGP public key and PGP signature download link. I use Ubuntu 20.04 desktop, so I download the. We can download VeraCrypt Linux installer from official website. Example: Verify PGP Signature of VeraCryptĪlthough VeraCrypt is open source software, it isn’t included in Ubuntu repository. We will use VeraCrypt as an example to show you how to verify PGP signature of downloaded software. If the signature is correct, then the software wasn’t tampered with. Use public key to verify PGP signature.Import the correct public key to your GPG public keyring.Check the public key’s fingerprint to ensure that it’s the correct key.In that case, you can verify the integrity of software using GPG. Some software authors sign their software using a PGP program such as GPG (GNU Privacy Guard), which is a free software implementation of the OpenPGP standard. How can you be sure that the software you downloaded wasn’t tampered with? ![]() But there are times when you need to download and install software from a website. Linux users can securely install software from their distribution’s repositories. In this tutorial, we will look at how to verify the PGP signature of software downloaded from the Internet on Linux. PGP (Pretty Good Privacy) is a public key cryptography software that can be used to encrypt and sign data communication.
0 Comments
Leave a Reply. |