How to Verify PGP Signature of Downloaded Software on Linux

PGP (Pretty Good Privacy) is a public key cryptography software that can be used to encrypt and sign data communication. In this tutorial, we will look at how to verify the PGP signature of software downloaded from the Internet on Linux.

Linux users can securely install software from their distribution’s repositories. But there are times when you need to download and install software from a website. How can you be sure that the software you downloaded wasn’t tampered with?

Some software authors sign their software using a PGP program such as GPG (GNU Privacy Guard), which is a free software implementation of the OpenPGP standard. In that case, you can verify the integrity of software using GPG.

The process is relatively simple:

  1. You download the public key (.asc file) of the software author.
  2. Check the public key’s fingerprint to ensure that it’s the correct key.
  3. Import the correct public key to your GPG public keyring.
  4. Download the PGP signature file (.sig) of the software.
  5. Use public key to verify PGP signature. If the signature is correct, then the software wasn’t tampered with.

We will use VeraCrypt as an example to show you how to verify PGP signature of downloaded software.

Example: Verify PGP Signature of VeraCrypt

Although VeraCrypt is open source software, it isn’t included in Ubuntu repository. We can download VeraCrypt Linux installer from official website. I use Ubuntu 20.04 desktop, so I download the .deb file for Ubuntu 20.04.

On the VeraCrypt download page, you can also find the PGP public key and PGP signature download link. Click the links to download these two files.  You can run the following command to download PGP public key of VeraCrypt.

wget https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc

Before you do anything with the public key, you must always check the key’s fingerprint to see if it’s the correct key. Display the fingerprint of the key using the command below.

gpg --show-keys VeraCrypt_PGP_public_key.asc

The second line of the output is the key’s fingerprint.

If you are using a very old version of GPG (gpg --version) like 1.4.20, then use the following command to display the fingerprint.

gpg --with-fingerprint VeraCrypt_PGP_public_key.asc

Compare it with the fingerprint published on VeraCrypt website.

As you can see, the two fingerprints are identical, which means the public key is correct. So you can import the public key to your GPG public keyring with:

gpg --import VeraCrypt_PGP_public_key.asc

Now verify the signature of the software installer file using the command below. You need to specify the signature file (.sig) and the software installer file. This is a detached signature, meaning that the signature and software are in separate files.

gpg --verify veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb.sig veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb

The output should say “Good Signature”.

How signature verifications works:

  • The signature is a hash value, encrypted with the software author’s private key.
  • GPG uses the public key to decrypt hash value.
  • GPG calculates the hash value of VeraCrypt installer and compare the two.
  • If these two hash values match, then the signature is good and the software wasn’t tampered with.

If GPG tells you it’s a bad signature, then the software installer was tampered with or corrupted.

Importing Public Key from a Trusted Source

Note that if the software author tells you his/her public key ID on the website, then you can import the public key with the following command, so you don’t have to manually download the PGP public key and import it to your keyring.

gpg --recv-keys <key-ID>

Then display the fingerprint with:

gpg --fingerprint <key-ID>

And compare the fingerprint from output with the one published on website. This is more secure because the public key is imported from a public key server, which by default is set to hkp://keys.gnupg.net in ~/.gnupg/gpg.conf file. There’re hundreds of public keyservers around the world. Ubuntu has their own key server. MIT also has one.

If you see the following error,

gpg: keyserver receive failed: No data

then you can try a different key server, like this:

gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x680D16DE

That’s it!

I hope this tutorial helped you verify PGP signature of software downloads. As always, if you found this post useful, then subscribe to our free newsletter or follow us on Twitter or like our Facebook page.

Rate this tutorial
[Total: 39 Average: 4.7]

23 Responses to “How to Verify PGP Signature of Downloaded Software on Linux”

  • fantom007
    4 years ago
    Reply

    Thank you and well done play by play!

  • Bob Smith
    4 years ago
    Reply

    Thank you!

    • Xiao Guo-An (Admin)
      4 years ago
      Reply

      You are welcome 🙂

  • Jack
    4 years ago
    Reply

    I get the following error:
    [email protected]:~$ gpg –with-fingerprint VeraCrypt_PGP_public_key.asc

    gpg: WARNING: no command supplied. Trying to guess what you mean ...
     pub rsa4096 2014-06-27 [SCE]
     uid VeraCrypt Team 
     

    I’m using Ubuntu 18.04.01 Live USB with persistence.

    • Xiao Guoan (Admin)
      1 year ago
      Reply

      If you use GPG version 2.x (gpg --version), then use the --show-keys option to display the fingerprint.

      gpg --show-keys VeraCrypt_PGP_public_key.asc
  • Ryan
    3 years ago
    Reply

    In your tutorial, you used wget to download the detached keys for verification purposes. How did you know where to find them? I am trying to do this process for Apache Spark, but I can’t find the .asc file that the Apache Software Foundation says is supposed to be there. Thanks!

  • Mike
    3 years ago
    Reply

    This is completely different from the instructions on the Tor website at https://support.torproject.org/tbb/how-to-verify-signature/

    • Xiao Guoan (Admin)
      3 years ago
      Reply

      Sometimes you can do something in multiple ways.

      The overall process is the same, with some differences in the command line arguments.

  • Rodney Jackson
    1 year ago
    Reply

    Where have I gone wrong.?

    [email protected]:~$ wget https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc
     --2021-05-14 14:02:12-- https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc
     Resolving www.idrix.fr (www.idrix.fr)... 51.210.181.103
     Connecting to www.idrix.fr (www.idrix.fr)|51.210.181.103|:443... connected.
     HTTP request sent, awaiting response... 200 OK
     Length: 5434 (5.3K) [text/plain]
     Saving to: 'VeraCrypt_PGP_public_key.asc’
     
     VeraCrypt_PGP_publi 100%[===================>] 5.31K --.-KB/s in 0s 
     
     2021-05-14 14:02:15 (97.9 MB/s) - 'VeraCrypt_PGP_public_key.asc’ saved [5434/5434]
     
     [email protected]:~$ gpg --show-keys VeraCrypt_PGP_public_key.asc
     pub rsa4096 2018-09-11 [SC]
     5069A233D55A0EEB174A5FC3821ACD02680D16DE
     uid VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) 
     sub rsa4096 2018-09-11 [E]
     sub rsa4096 2018-09-11 [A]
     
     [email protected]:~$ gpg --with-fingerprint VeraCrypt_PGP_public_key.asc
     gpg: WARNING: no command supplied. Trying to guess what you mean ...
     pub rsa4096 2018-09-11 [SC]
     uid VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) 
     sub rsa4096 2018-09-11 [E]
     sub rsa4096 2018-09-11 [A]
     [email protected]:~$ gpg --import VeraCrypt_PGP_public_key.asc
     gpg: key 821ACD02680D16DE: 1 signature not checked due to a missing key
     gpg: key 821ACD02680D16DE: public key "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) " imported
     gpg: Total number processed: 1
     gpg: imported: 1
     gpg: no ultimately trusted keys found
     [email protected]:~$ gpg --verify veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb.sig veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb
     gpg: can't open 'veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb.sig': No such file or directory
     gpg: verify signatures failed: No such file or directory
     [email protected]:~$ gpg --verify veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb.sig veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb
     gpg: can't open 'veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb.sig': No such file or directory
     gpg: verify signatures failed: No such file or directory
     [email protected]:~$ gpg --import VeraCrypt_PGP_public_key.asc
     gpg: key 821ACD02680D16DE: 1 signature not checked due to a missing key
     gpg: key 821ACD02680D16DE: "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) " not changed
     gpg: Total number processed: 1
     gpg: unchanged: 1
     [email protected]:~$ gpg --verify veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb.sig veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb
     gpg: can't open 'veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb.sig': No such file or directory
     gpg: verify signatures failed: No such file or directory
     [email protected]:~$ gpg --recv-keys 
     bash: syntax error near unexpected token `newline'
     [email protected]:~$ gpg --recv-keys 
     bash: syntax error near unexpected token `newline'
     [email protected]:~$ gpg --fingerprint 
     bash: syntax error near unexpected token `newline'
     [email protected]:~$ gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 0x680D16DE
     gpg: key 821ACD02680D16DE: "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) " not changed
     gpg: Total number processed: 1
     gpg: unchanged: 1
     [email protected]:~$ gpg --show-keys VeraCrypt_PGP_public_key.asc
     pub rsa4096 2018-09-11 [SC]
     5069A233D55A0EEB174A5FC3821ACD02680D16DE
     uid VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) 
     sub rsa4096 2018-09-11 [E]
     sub rsa4096 2018-09-11 [A]
     
     [email protected]:~$ 
     
     
    • Xiao Guoan (Admin)
      1 year ago
      Reply

      Copy and paste without thinking.

      You need to know

      1.) your current working directory, which can be shown with pwd command
      2.) which directory the signature file and software installer file are downloaded to.

    • Vedang Mulay
      1 year ago
      Reply

      Also use the

      ls

      command to check the files in the current directory to make sure the file is there. Check to make sure the file isn’t misspelled. Usually you can copy and paste from the terminal window by doing CTRL+SHIFT+C and CTRL+SHIFT+V, so you don’t need to type manually.

  • eddy canuck
    1 year ago
    Reply

    Ok – I am using gpg v2.2.4 under Zorin v15.3 (Ubuntu 18.04) and there is NO shows-keys Command, so it must be something different and in scanning the output of the Command I am at a loss to see which one it is.

    I reproduce here:
    ====================================

    Commands:
     
     -s, --sign make a signature
     --clear-sign make a clear text signature
     -b, --detach-sign make a detached signature
     -e, --encrypt encrypt data
     -c, --symmetric encryption only with symmetric cipher
     -d, --decrypt decrypt data (default)
     --verify verify a signature
     -k, --list-keys list keys
     --list-signatures list keys and signatures
     --check-signatures list and check key signatures
     --fingerprint list keys and fingerprints
     -K, --list-secret-keys list secret keys
     --generate-key generate a new key pair
     --quick-generate-key quickly generate a new key pair
     --quick-add-uid quickly add a new user-id
     --quick-revoke-uid quickly revoke a user-id
     --quick-set-expire quickly set a new expiration date
     --full-generate-key full featured key pair generation
     --generate-revocation generate a revocation certificate
     --delete-keys remove keys from the public keyring
     --delete-secret-keys remove keys from the secret keyring
     --quick-sign-key quickly sign a key
     --quick-lsign-key quickly sign a key locally
     --sign-key sign a key
     --lsign-key sign a key locally
     --edit-key sign or edit a key
     --change-passphrase change a passphrase
     --export export keys
     --send-keys export keys to a keyserver
     --receive-keys import keys from a keyserver
     --search-keys search for keys on a keyserver
     --refresh-keys update all keys from a keyserver
     --import import/merge keys
     --card-status print the card status
     --edit-card change data on a card
     --change-pin change a card's PIN
     --update-trustdb update the trust database
     --print-md print message digests
     --server run in server mode
     --tofu-policy VALUE set the TOFU policy for a key
     
     Options:
     
     -a, --armor create ascii armored output
     -r, --recipient USER-ID encrypt for USER-ID
     -u, --local-user USER-ID use USER-ID to sign or decrypt
     -z N set compress level to N (0 disables)
     --textmode use canonical text mode
     -o, --output FILE write output to FILE
     -v, --verbose verbose
     -n, --dry-run do not make any changes
     -i, --interactive prompt before overwriting
     --openpgp use strict OpenPGP behavior
     
     (See the man page for a complete listing of all commands and options)
     
     Examples:
     
     -se -r Bob [file] sign and encrypt for user Bob
     --clear-sign [file] make a clear text signature
     --detach-sign [file] make a detached signature
     --list-keys [names] show keys
     --fingerprint [names] show fingerprints
     
     Please report bugs to .

    =============================================

  • Vedang Mulay
    1 year ago
    Reply

    Thanks Xiao, clearly explained. I will add that pgp key blocks can be verified by copying and pasting into the command line as well so don’t need to save to file.

  • Gibson
    2 months ago
    Reply

    I am stuck on the last step. I copy and pasted gpg –verify veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb.sig veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb.
    Instead of getting the gpg: good signature I get verified signatures failed: no such file or directory.
    How do I solve this?

  • Gibson
    2 months ago
    Reply

    Is anyone available to help me? I am stuck on the last step.

    • pengu
      2 months ago
      Reply

      you probably saved both downloads from veracrypt to your downloads directory; use command cd Downloads/ and then gpg –verify veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb.sig veracrypt-1.24-Update7-Ubuntu-20.04-amd64.deb and you should be good.

      • Gibson
        2 months ago
        Reply

        Thank you for the response Pengu.

        I entered cd Downloads/ into the terminal and it responded with ~/Downloads$. I then copy and pasted the command you provided above after the cs Downloads/ and it came back with WARNING: No command supplied. I also tried both the commands you provided separately and it didn’t work.

        Did I enter it in wrong? It’s not letting me attach a screenshot atm so I can’t show you what I am seeing unfortunately.

      • Gibson
        2 months ago
        Reply

        I just restarted from the beginning this time making sure I saved the files into the download folder so they are all together. Still got the same response. Is there something I need to do before installing and verifying the program?

    • Xiao Guoan (Admin)
      2 months ago
      Reply

      You need to know the name of your files.
      Change to the Downloads directory.

      cd ~/Downloads/
       

      Then list files under this directory.

      ls
       

Leave a Comment Cancel reply