Recipe 7.15 Checking a Signature
7.15.1 Problem
You want to verify that a
GnuPG-signed file has not been altered.
7.15.2 Solution
To check a signed file, myfile:
$ gpg --verify myfile
To check myfile against a detached signature in
myfile.sig: [Recipe 7.14]
$ gpg --verify myfile.sig myfile
Decrypting a signed file [Recipe 7.5] also checks its
signature, e.g.:
$ gpg myfile
7.15.3 Discussion
When GnuPG detects a signature, it lets you know:
gpg: Signature made Wed 15 May 2002 10:19:20 PM EDT using DSA key ID 00F5B71F
If the signed file has not been altered, you'll see
a result like:
gpg: Good signature from "Shawn Smith <smith@example.com>"
Otherwise:
gpg: BAD signature from "Shawn Smith <smith@example.com>"
indicates that the file is not to be trusted.If you don't have the public key needed to check the
signature, contact the key owner or check keyservers [Recipe 7.21] to obtain it, then import it. [Recipe 7.10]
7.15.4 See Also
gpg(1).