One of my friends recently asked me how to verify a signature that is distributed with an opensource application. Since I didn’t have a machine handy to show him, I thought I would jot this down for him in my blog. The first step in verifying a signature requires locating the public key of the individual who signed the binary. Once you locate the key and validate it’s authenticity, you can use the gpg “–import” option to import the key. Once the key is imported, you can use the gpg “–verify” option to verify that the signature is legit:
$ gpg --verify postfix-2.3.2.tar.gz.sig postfix-2.3.2.tar.gz
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Thu Jul 27 12:49:07 2006 EDT using RSA key ID C12BCD99
gpg: Good signature from "Wietse Venema "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FF 96 4A 8C 96 88 7C 6E A4 EF AD BF 48 34 E1 BB
In the above example, I used Wietse Venema’s public key (which I had previously imported) to verify the signature stored in the file postfix-2.3.2.tar.gz.sig against the source code I downloaded. Gpg is a swell piece of software!