Logo
  • Ubuntu
  • CentOS
  • Debian
  • Fedora
  • RedHat

How to Verify PGP Signature of Downloaded Software on Linux - DesignLinux

Jul 06 2021
designlinux 0 Comments

When installing software on a Linux system is usually a smooth ride. In most cases, you would use a package manager such as apt, dnf, or Pacman to install it securely from your distribution’s repositories.

In some instances, however, a software package may not be included in the distribution’s official repository. In such scenarios, one is compelled to download it from the vendor’s website. But how sure are you that the software package wasn’t tampered with? This is the question we will seek to answer. In this guide, we focus on how to verify the PGP signature of a downloaded software package in Linux.

PGP (Pretty Good Privacy) is a cryptographic application used for encrypting and signing files. Most software authors sign their applications using the PGP program for instance GPG (GNU Privacy Guard).

GPG is a cryptography implementation of OpenPGP and it enables secure transmission of data and can also be used to verify the integrity of the source. In a similar fashion, you can leverage GPG to verify the authenticity of downloaded software.

The verification of the integrity of downloaded software is a 5-step procedure that takes the following order.

  • Downloading the public key of the software’s author.
  • Checking the key’s fingerprint.
  • Importing the public key.
  • Downloading the Signature file of the software.
  • Verify the signature file.

In this guide, we will use Tixati – a peer-to-peer file sharing program – as an example to demonstrate this. Already, we have downloaded the Debian package from the Offical download page.

Verify the PGP Signature of Tixati

Right off the bat, we are going to download the Author’s Public key that is used for verifying any releases. The link to the key is provided at the bottom of the Tixati downloads page.

Tixati GPG Key
Tixati GPG Key

On the command line, grab the Public key using the wget command as shown.

$ wget https://www.tixati.com/tixati.key

Check the Public key’s Fingerprint

Once the key is downloaded, the next step is to check the Public key’s fingerprint using the gpg command as shown.

$ gpg --show-keys tixati.key

The highlighted output is the fingerprint of the public key.

Check Public Key Fingerprint
Check Public Key Fingerprint

Import the GPG Key

Once we have checked the key’s public fingerprint, we will import the GPG key. This only needs to be done once.

$ gpg --import tixati.key
Import GPG Key
Import GPG Key

Download Signature File of the Software

Next, we will download the PGP signature file which is just adjacent to the Debian package as indicated. The signature file bears the .asc file extension.

Download PGP Signature File
Download PGP Signature File
$ wget https://download2.tixati.com/download/tixati_2.84-1_amd64.deb.asc
Download PGP Signature File
Download PGP Signature File

Verify the Signature File

Lastly, verify the integrity of the software using the signature file and against the Debian package as shown.

$ gpg --verify tixati_2.84-1_amd64.deb.asc tixati_2.84-1_amd64.deb
Verify PGP Signature File
Verify PGP Signature File

The third line’s output confirms that the Signature is from the software’s author, in this case, Tixati Software Inc. The line above provides the fingerprint which matches the fingerprint of the Public key. This is confirmation of the PGP signature of the software.

We hope that this guide provided insights into how you can go about verifying the PGP of a downloaded software package in Linux.

Related

Tags: commandline tools, gpg command

[Resolved] Cron job wget writing files to root directory

Prev Post

Top 5 Best Alternative Linux Distributions for Windows Users

Next Post
Archives
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • July 2022
  • June 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
Categories
  • AlmaLinux
  • Android
  • Ansible
  • Apache
  • Arch Linux
  • AWS
  • Backups
  • Bash Shell
  • Bodhi Linux
  • CentOS
  • CentOS Stream
  • Chef
  • Cloud Software
  • CMS
  • Commandline Tools
  • Control Panels
  • CouchDB
  • Data Recovery Tools
  • Databases
  • Debian
  • Deepin Linux
  • Desktops
  • Development Tools
  • Docker
  • Download Managers
  • Drupal
  • Editors
  • Elementary OS
  • Encryption Tools
  • Fedora
  • Firewalls
  • FreeBSD
  • FTP
  • GIMP
  • Git
  • Hadoop
  • HAProxy
  • Java
  • Jenkins
  • Joomla
  • Kali Linux
  • KDE
  • Kubernetes
  • KVM
  • Laravel
  • Let's Encrypt
  • LFCA
  • Linux Certifications
  • Linux Commands
  • Linux Desktop
  • Linux Distros
  • Linux IDE
  • Linux Mint
  • Linux Talks
  • Lubuntu
  • LXC
  • Mail Server
  • Manjaro
  • MariaDB
  • MongoDB
  • Monitoring Tools
  • MySQL
  • Network
  • Networking Commands
  • NFS
  • Nginx
  • Nodejs
  • NTP
  • Open Source
  • OpenSUSE
  • Oracle Linux
  • Package Managers
  • Pentoo
  • PHP
  • Podman
  • Postfix Mail Server
  • PostgreSQL
  • Python
  • Questions
  • RedHat
  • Redis Server
  • Rocky Linux
  • Security
  • Shell Scripting
  • SQLite
  • SSH
  • Storage
  • Suse
  • Terminals
  • Text Editors
  • Top Tools
  • Torrent Clients
  • Tutorial
  • Ubuntu
  • Udemy Courses
  • Uncategorized
  • VirtualBox
  • Virtualization
  • VMware
  • VPN
  • VSCode Editor
  • Web Browsers
  • Web Design
  • Web Hosting
  • Web Servers
  • Webmin
  • Windows
  • Windows Subsystem
  • WordPress
  • Zabbix
  • Zentyal
  • Zorin OS
Visits
  • 0
  • 486
  • 612,665

DesignLinux.com © All rights reserved

Go to mobile version