How to Verify File Integrity Using PGP/GPG .asc Signature Files


2 views

When downloading software packages, verifying file integrity is crucial. While checksums (like SHA-256) are common, PGP/GPG signatures provide stronger cryptographic verification. The .asc files contain digital signatures that prove:

  • The file hasn't been tampered with
  • The release actually came from the claimed author

Before proceeding, ensure you have:

gpg --version

If not installed, get GnuPG for your system:

# Linux (Debian/Ubuntu)
sudo apt-get install gnupg

# macOS (using Homebrew)
brew install gnupg

# Windows (via Chocolatey)
choco install gnupg

Here's the step-by-step workflow:

# 1. Download both the target file and its .asc signature
wget https://example.com/package.tar.gz
wget https://example.com/package.tar.gz.asc

# 2. Import the maintainer's public key (if not already trusted)
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys KEY_ID

# 3. Verify the signature
gpg --verify package.tar.gz.asc package.tar.gz

When filenames don't match exactly (common with downloaded files):

# Rename either the target file or signature to match:
mv downloaded_file.ext package.tar.gz
mv signature-file.asc package.tar.gz.asc

# Or use --verify with explicit paths:
gpg --verify /path/to/signature.asc /path/to/downloaded/file

A successful verification shows:

gpg: Signature made [date]
gpg: using RSA key [fingerprint]
gpg: Good signature from "Maintainer Name " [ultimate]

Warning signs include:

  • "BAD signature" - indicates tampering
  • Untrusted key - requires manual verification of key fingerprint

For automated environments, use this script:

#!/bin/bash
FILE="package.tar.gz"
SIG="${FILE}.asc"

# Download files
curl -O "https://example.com/${FILE}"
curl -O "https://example.com/${SIG}"

# Import known good key
gpg --import maintainer.asc

# Verify with exit code check
if gpg --status-fd 1 --verify "${SIG}" "${FILE}" | grep -q "GOODSIG"; then
    echo "Verification successful"
    exit 0
else
    echo "Verification failed"
    exit 1
fi

Problem: "Can't check signature: No public key"
Solution: Find and import the correct key:

gpg --keyserver hkps://keyserver.ubuntu.com --search-keys maintainer@domain.com

Problem: "WARNING: This key is not certified"
Solution: Verify the key fingerprint matches project documentation, then trust it:

gpg --edit-key KEY_ID
> trust
> 5 (ultimate)
> quit

When downloading software packages from open-source projects, you'll often encounter two verification methods: checksums (like SHA256) and PGP signatures (.asc files). While checksums verify file integrity, PGP signatures provide both integrity and authenticity verification through cryptographic signing.

Ensure you have GnuPG installed:

# Ubuntu/Debian
sudo apt-get install gnupg

# RHEL/CentOS
sudo yum install gnupg

# macOS (via Homebrew)
brew install gnupg

Using the OSSEC project as a case study, here's the complete verification workflow:

# 1. Download both the package and signature file
wget https://github.com/ossec/ossec-hids/archive/3.7.0.tar.gz
wget https://github.com/ossec/ossec-hids/releases/download/3.7.0/ossec-hids-3.7.0.tar.gz.asc

# 2. Import the project's public key (if not already trusted)
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 0xC374759A67D4A12D

# 3. Verify the signature
gpg --verify ossec-hids-3.7.0.tar.gz.asc 3.7.0.tar.gz

When the downloaded filename differs from the signed filename (a common scenario), use the --output flag to specify the target file:

gpg --verify downloaded_file.asc --output actual_file_to_verify.ext

A successful verification shows:

gpg: Signature made Wed 30 Nov 2022 04:25:42 PM UTC
gpg:                using RSA key C374759A67D4A12D
gpg: Good signature from "OSSEC Project " [ultimate]

Key warning scenarios:

  • "WARNING: This key is not certified" - The signer's identity isn't verified
  • "BAD signature" - File tampering detected

For automated environments, use this Bash snippet:

#!/bin/bash
FILE="package.tar.gz"
SIG="${FILE}.asc"

verify_signature() {
    gpg --verify "${SIG}" "${FILE}" 2>&1 | grep -q "Good signature"
}

if verify_signature; then
    echo "Verification successful - proceeding with installation"
    # Add deployment commands here
else
    echo "ERROR: Signature verification failed"
    exit 1
fi

If you're distributing signed files:

  1. Always sign with a dedicated release key (not your personal key)
  2. Publish your public key on multiple keyservers
  3. Include fingerprint verification instructions in your docs
  4. Consider using --detach-sign for cleaner signature files:
gpg --armor --detach-sign --output package.tar.gz.asc package.tar.gz