How to verify a PGP signature with GnuPG January 17, 2012
In case you are an idiot like me, here is a simple set of steps for verifying a PGP signature (for example, if you are downloading the TrueCrypt installer and you want to verify that the binary is intact).
If you already have GnuPG or another PGP client installed, skip steps 1 and 2.
1. Install GnuPG - on my Mac with MacPorts, I ran
sudo port install gnupg
2. Create your private key with
Accept all of the default options.
3. Download the public key of the person/institution you want to verify. For TrueCrypt, their public key is available here.
4. Import the person’s public key into your key ring with:
gpg --import TrueCrypt-Foundation-Public-Key.asc
(change the filename to whatever is appropriate).
5. You need to sign the person’s public key with your private key, to tell PGP that you “accept” the key. This contains a few steps on it’s own:
5a. List the keys in your keyring with
The output will look like:
... pub 1024D/F0D6B1E0 2004-06-06 uid TrueCrypt Foundation sub 4077g/6B136ECF 2004-06-06
5b. The “name” of their key is the part after “1024D/” in the line
pub 1024D/F0D6B1E0 2004-06-06
5c. Sign their public key with:
gpg --sign-key F0D6B1E0
6. Now you can verify the signature of the file you downloaded. With TrueCrypt and it’s installer, this command was:
gpg --verify TrueCrypt\ 7.1\ Mac\ OS\ X.dmg.sig
gpg: Signature made Thu Sep 1 11:50:54 2011 EDT using DSA key ID F0D6B1E0 gpg: Good signature from "TrueCrypt Foundation "
- mattnworb posted this