verifying using gpg
Bevan C. Bennett
bevan at fulcrummicro.com
Wed Apr 14 00:21:32 UTC 2004
Al Sparks wrote:
> Is there a straightforward HOWTO somewhere on how to use gpg to verify
> downloads when a sig is provided?
It doesn't really seem worth a HOW-TO... at the simplest it's just:
% gpg --verify detached_signature file_to_check
If you have the correct key to verify against downloaded as well
(recommended) then do this first, otherwise it will just say whether the
signature is good or not, but not verify who signed it:
% gpg --import publlic_key_file
This will work for most source code distributions. If you want to verify
the signature on an rpm file, you need to use the rpm command's built in
mechanism instead, however:
% rpm -K rpm_file_to_verify.rpm
If it complains about missing keys, go to the repository where you
acquired the rpm and download their public key (it should be prominantly
displayed), then run:
% rpm --import keyfile
More information about the fedora-list
mailing list