Recipe 7.15 Checking a Signature

7.15.1 Problem

You want to verify that a GnuPG-signed file has not been altered.

7.15.2 Solution

To check a signed file, myfile:

$ gpg --verify myfile

To check myfile against a detached signature in myfile.sig: [Recipe 7.14]

$ gpg --verify myfile.sig myfile

Decrypting a signed file [Recipe 7.5] also checks its signature, e.g.:

$ gpg myfile

7.15.3 Discussion

When GnuPG detects a signature, it lets you know:

gpg: Signature made Wed 15 May 2002 10:19:20 PM EDT using DSA key ID 00F5B71F

If the signed file has not been altered, you'll see a result like:

gpg: Good signature from "Shawn Smith <smith@example.com>"

Otherwise:

gpg: BAD signature from "Shawn Smith <smith@example.com>"

indicates that the file is not to be trusted.

If you don't have the public key needed to check the signature, contact the key owner or check keyservers [Recipe 7.21] to obtain it, then import it. [Recipe 7.10]

7.15.4 See Also

gpg(1).