PGP signatures

Several archives distributed onto this site are cryptographically signed using OpenPGP-compliant signatures. Everyone is encouraged to check the integrity of the downloaded content by verifying its corresponding signature. The signing and verification process ensures that the downloaded files were not modified or tampered since their creation and thus prevents anyone to use corrupted files.

On GNU/Linux, the most common way for verifying the PGP signature is to use GnuPG. First ensure that GnuPG is installed on your system. Then download the archive and its PGP signature and use the gpg2 command to check the integrity of the archive against its signature.

$ wget
$ wget
$ gpg2 --verify Archive-Name-GNU-Linux64.tar.gz.sig

The first time you may obtain the likely output:

gpg: Signature made Wed 20 Sep 2017 08:28:35 AM CEST using RSA key 7322B68F7896C455
gpg: Can't check signature: No public key

This means that you do not have the public part of the PGP key used to sign this archive. In the previous example the key identifier is 7322B68F7896C455. Use gpg2 to download this key from the PGP keyserver.

$ gpg2 --keyserver hkps:// --recv-keys 7322B68F7896C455

Now you can check the integrity of the archive with respect to the previously downloaded public-key.

$ gpg2 --verify Archive-Name-GNU-Linux64.tar.gz.sig
gpg: assuming signed data in 'Archive-Name-GNU-Linux64.tar.gz'
gpg: Signature made Tue 26 Sep 2017 09:28:40 AM CEST
gpg:                using RSA key 1F494948BAA4F5F4A0AF82FF7322B68F7896C455
gpg: Good signature from "Vincent Forest (
gpg:                     <>" [ultimate]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 20EB E4CF 3D9F 4B9A E55D  5F59 679F 2975 93B2 C8A2
     Subkey fingerprint: 1F49 4948 BAA4 F5F4 A0AF  82FF 7322 B68F 7896 C455

Note that GnuPG warns that the key is not certified. In other words you cannot be sure that the key used to sign the archive really belongs to the owner. The best option is to physically meet the actual owner and ask for him about the key validity. More simply, but also less secure, you can review the list of signatures of the key with gpg2 --list-sigs and then make a decision whether you trust that key or not.

On Windows, you can use the GPG4Win tool to verify the archive signature. The process is roughly the same that on GNU/Linux: you first have to import the public key used to sign the archive before verifying its integrity and checking that the imported key really belongs to the owner.