How to verify a PGP signature with GnuPGTue, Jan 17, 2012
In case you are an idiot like me, here is a simple set of steps for verifying a PGP signature (for example, if you are downloading the TrueCrypt installer and you want to verify that the binary is intact).
If you already have GnuPG or another PGP client installed, skip steps 1 and 2.
Install GnuPG - on my Mac with MacPorts, I ran
$ sudo port install gnupg
Create your private key with
$ gpg --gen-key
Accept all of the default options.
Download the public key of the person/institution you want to verify. For TrueCrypt, their public key is available here.
Import the person’s public key into your key ring with:
$ gpg --import TrueCrypt-Foundation-Public-Key.asc
(change the filename to whatever is appropriate).
You need to sign the person’s public key with your private key, to tell PGP that you “accept” the key. This contains a few steps on it’s own:
List the keys in your keyring with
$ gpg --list-keys
The output will look like:
... pub 1024D/F0D6B1E0 2004-06-06 uid TrueCrypt Foundation sub 4077g/6B136ECF 2004-06-06
The “name” of their key is the part after “1024D/” in the line
pub 1024D/F0D6B1E0 2004-06-06
Sign their public key with:
$ gpg --sign-key F0D6B1E0
Now you can verify the signature of the file you downloaded. With TrueCrypt and it’s installer, this command was:
$ gpg --verify TrueCrypt\ 7.1\ Mac\ OS\ X.dmg.sig
gpg: Signature made Thu Sep 1 11:50:54 2011 EDT using DSA key ID F0D6B1E0 gpg: Good signature from "TrueCrypt Foundation "