Verifying A GPG Signed File (April 01, 2013)

For some reason searching the Internet didn't me help much. So here are the steps to verify the integrity of a file you have downloaded on the Internet.

      gpg --verify-files emacs-24.3.tar.gz.sig
gpg: Signature made Mon Mar 11 03:04:35 2013 CET using RSA key ID A0B0F199
gpg: Can't check signature: No public key

This means you need to import the public key A0B0F199.

      gpg --recv-keys A0B0F199
gpg: requesting key A0B0F199 from hkp server keys.gnupg.net
gpg: key A0B0F199: public key "Glenn Morris <rgm@gnu.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Now that you have received the public key, you can verify the file.

      gpg --verify-files emacs-24.3.tar.gz.sig
gpg: Signature made Mon Mar 11 03:04:35 2013 CET using RSA key ID A0B0F199
gpg: Good signature from "Glenn Morris <rgm@gnu.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B294 26DE FB07 724C 3C35  E5D3 6592 E9A3 A0B0 F199

The file is good. The warning just means you haven't met Glenn in person for a key exchange. It is very unlikely that the file you have downloaded is infected.

back