In an era where digital security is paramount, ensuring the integrity and authenticity of files you download or receive is critical. Whether you’re installing software, verifying a document, or confirming the source of a sensitive file, GPG (GNU Privacy Guard) signatures provide a robust way to validate that a file hasn’t been tampered with and was indeed created by the claimed sender.

GPG signatures rely on public-key cryptography: the sender signs the file with their private key, and anyone with the corresponding public key can verify the signature. While many guides focus on verifying signatures using keys fetched from public key servers, there are scenarios where you need to verify against a specific public key file (e.g., the key isn’t on a server, or you want to avoid relying on third-party key servers for security).

This guide will walk you through verifying a GPG signature using a local public key file, with clear, step-by-step instructions for beginners and experts alike.

Table of Contents#

1. What You’ll Need
2. Step 1: Install GPG
3. Step 2: Obtain the Public Key File
4. Step 3: Import the Public Key (Optional)
5. Step 4: Verify the GPG Signature
6. Step 5: Interpret the Verification Output
7. Troubleshooting Common Issues
8. Conclusion
9. References

What You’ll Need#

Before starting, ensure you have the following:

• GPG installed on your system (see Step 1 for installation instructions).
• The public key file (.asc, .gpg, or .pub extension) provided by the sender/developer. This is the "specific public key" you’ll use for verification.
• The signed file you want to verify (e.g., a software archive like myapp-v1.0.tar.gz).
• The signature file (detached signature) associated with the signed file. This is typically named after the signed file with a .sig or .asc extension (e.g., myapp-v1.0.tar.gz.sig or myapp-v1.0.tar.gz.asc).

Step 1: Install GPG#

First, ensure GPG is installed on your system. GPG is preinstalled on most Linux distributions, but you may need to install it manually on macOS or Windows.

Linux#

Most Linux distributions include GPG by default. If not, install it via your package manager:

• Debian/Ubuntu:

  sudo apt update && sudo apt install gnupg  

• Fedora/RHEL:

  sudo dnf install gnupg  

• Arch Linux:

  sudo pacman -S gnupg  

macOS#

Use Homebrew to install GPG:

brew install gnupg  

Windows#

Download and install Gpg4win (the official Windows port of GPG). During installation, ensure "GnuPG" is selected (it’s included by default).

Verify installation by running:

gpg --version  

You should see output like gpg (GnuPG) 2.4.3 (version numbers may vary).

Step 2: Obtain the Public Key File#

To verify a signature, you need the public key file of the sender/developer. This file is often provided alongside the signed file (e.g., on a project’s "Downloads" page or in a repository’s KEYS file).

Example Scenario:#

If you’re downloading a Linux ISO from example.com, the site might link to:

• linux-iso-v2.0.iso (the signed file),
• linux-iso-v2.0.iso.sig (the detached signature),
• developer-public-key.asc (the public key file).

Key Best Practices:#

• Always fetch the public key from a trusted source (e.g., the official website, not a third-party mirror).
• Verify the key’s authenticity (if possible) by cross-checking its fingerprint with the developer’s social media, email, or physical documentation (this ensures you haven’t downloaded a fake key).

Step 3: Import the Public Key (Optional)#

Before verifying the signature, you can import the public key file into your GPG keyring (a local database of public keys). This step is optional—you can verify directly against the key file without importing—but importing makes future verifications faster (you won’t need the key file again).

Import the Key File:#

Run the following command, replacing public-key.asc with the path to your public key file:

gpg --import public-key.asc  

Example Output:#

gpg: key ABC123DEF456: public key "Jane Developer <jane@example.com>" imported  
gpg: Total number processed: 1  
gpg:               imported: 1  

Verify the Import:#

To confirm the key was imported, list your keys and search for the key’s ID or email:

gpg --list-keys "Jane Developer"  

Example Output:#

pub   rsa4096 2023-01-15 [SC]  
      ABC123DEF456GHI789JKL012MNOP345QRST678  
uid           [ unknown] Jane Developer <jane@example.com>  
sub   rsa4096 2023-01-15 [E]  

The pub line shows the key’s fingerprint (truncated here as ABC123DEF456...), confirming the key is in your keyring.

Step 4: Verify the GPG Signature#

Now you’re ready to verify the signature. There are two methods:

Method 1: Verify Using the Imported Key#

If you imported the key (Step 3), run:

gpg --verify signature-file.sig signed-file  

• Replace signature-file.sig with the path to the detached signature (e.g., linux-iso-v2.0.iso.sig).
• Replace signed-file with the path to the file you want to verify (e.g., linux-iso-v2.0.iso).

Method 2: Verify Directly Against the Key File (No Import)#

If you prefer not to import the key (e.g., to avoid cluttering your keyring), verify directly against the key file using the --keyring flag:

gpg --verify --keyring ./public-key.asc signature-file.sig signed-file  

• --keyring ./public-key.asc: Tells GPG to use the specified key file instead of your default keyring.
• Use an absolute path (e.g., /home/user/downloads/public-key.asc) if the key file isn’t in your current directory.

Example Command:#

For a signature file myapp.tar.gz.sig, signed file myapp.tar.gz, and key file developer-key.asc:

# Using imported key:  gpg --verify myapp.tar.gz.sig myapp.tar.gz   # Using key file directly:  gpg --verify --keyring ./developer-key.asc myapp.tar.gz.sig myapp.tar.gz  

Step 5: Interpret the Verification Output#

After running the --verify command, GPG will output a result. Here’s how to interpret common scenarios:

1. Success: "Good Signature"#

Example Output:#

gpg: Signature made Wed 01 Jan 2024 12:00:00 PM UTC  
gpg:                using RSA key ABC123DEF456GHI789JKL012MNOP345QRST678  
gpg: Good signature from "Jane Developer <jane@example.com>" [unknown]  
gpg: WARNING: This key is not certified with a trusted signature!  
gpg:          There is no indication that the signature belongs to the owner.  
Primary key fingerprint: ABC1 23DE F456 GHI7 89JK L012 MNOP 345Q RST6 7890  

What This Means:#

• "Good signature": The file is cryptographically valid—it hasn’t been tampered with, and the signature was created with the private key corresponding to the public key you used.
• "[unknown]" trust level: GPG doesn’t "trust" the key by default (you haven’t explicitly verified the key’s owner). This is normal! The warning is a reminder to confirm the key’s authenticity (e.g., by checking the fingerprint with the developer).

2. Failure: "BAD Signature"#

Example Output:#

gpg: Signature made Wed 01 Jan 2024 12:00:00 PM UTC  
gpg:                using RSA key ABC123DEF456GHI789JKL012MNOP345QRST678  
gpg: BAD signature from "Jane Developer <jane@example.com>" [unknown]  

What This Means:#

The file has been tampered with, or the signature was forged. DO NOT USE THE FILE—delete it and redownload from a trusted source.

3. Error: "No Public Key"#

Example Output:#

gpg: Can't check signature: No public key  

What This Means:#

GPG can’t find the public key needed to verify the signature. Fixes:

• Import the key file (Step 3), or
• Use --keyring to specify the key file path (Method 2 in Step 4).

Troubleshooting Common Issues#

Issue 1: "gpg: can’t open ‘signature.sig’: No such file or directory"#

• Cause: GPG can’t find the signature file or signed file.
• Fix: Check file paths. Use absolute paths (e.g., /home/user/downloads/signature.sig) or navigate to the directory containing the files first with cd /path/to/files.

Issue 2: "gpg: verify signatures failed: No public key"#

• Cause: The public key isn’t in your keyring, and you didn’t use --keyring to specify the key file.
• Fix: Import the key (Step 3) or re-run the verify command with --keyring /path/to/public-key.asc.

Issue 3: "Signature made with expired key"#

Example Output:#

gpg: WARNING: The key's user ID is not certified with a trusted signature!  
gpg:          There is no indication that the signature belongs to the owner.  
gpg: WARNING: This key has expired!  
Primary key fingerprint: ABC1 23DE F456 GHI7 89JK L012 MNOP 345Q RST6 7890  
gpg: Good signature from "Jane Developer <jane@example.com>" [unknown]  

• Cause: The public key has expired.
• Fix: Contact the developer for an updated public key, or check if they’ve revoked/renewed their key.

Issue 4: "gpg: invalid key resource URL ‘keyring’"#

• Cause: Typo in the --keyring path (e.g., --keyring public-key.asc instead of --keyring ./public-key.asc).
• Fix: Ensure the path to the key file is correct. Use ./ for the current directory (e.g., --keyring ./public-key.asc).

Conclusion#

Verifying GPG signatures against a specific public key file is a critical skill for securing your digital interactions. By following these steps, you can confirm that files are authentic and untampered with, protecting yourself from malware, fraud, and data breaches.

Remember: A "Good signature" only confirms cryptographic validity—always verify the public key’s authenticity (via fingerprints or trusted channels) to ensure you’re using the correct key.

References#

• GnuPG Official Documentation
• GPG Manual: --verify Command
• Gpg4win (Windows Installation)
• Homebrew (macOS Package Manager)
• Linux Foundation: GPG Signature Verification Guide