Howto: Verify integrity of the tar balls with gpg command

GnuPG is a complete and free replacement for PGP. You will use gpg command to validate a GPG certificate. For example, purpose download Apahce-web server tar ball. Visit Apache web site to download latest version of Apache. As usual, use wget command:

ADVERTISEMENTS

$ wget http://www.apache.org/dist/httpd/httpd-2.0.55.tar.gz

Next download gpg key listed next to download link:
$ wget http://www.apache.org/dist/httpd/httpd-2.0.55.tar.gz.asc

How do I verify integrity of the tar ball?

Use gpg command as follows:
$ gpg httpd-2.0.55.tar.gz.asc
Output:

gpg: Signature made Monday 10 October 2005 07:05:15 AM IST using RSA key ID 10FDE075
gpg: Can't check signature: public key not found

You will see an error message ‘Can’t check signature: public key not found’. It means you need to get the key (called 10FDE075) and install it in your public keyring. You can download key from free public key server such as pgpkeys.mit.edu

$ gpg --keyserver pgpkeys.mit.edu --recv-key 10FDE075
Output:

gpg: requesting key 10FDE075 from hkp server pgpkeys.mit.edu
gpg: key 10FDE075: duplicated user ID detected - merged
gpg: key 10FDE075: public key "wrowe@covalent.net" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Once the key is installed, use the following command to check the certificate of a source code file/tar ball:
$ gpg --fingerprint 10FDE075
$ gpg --verify httpd-2.0.55.tar.gz.asc httpd-2.0.55.tar.gz

Online References:

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
3 comments… add one
  • malvin Feb 10, 2007 @ 5:23

    hello,

    you may have to change the switches from “-” to “–” for invoking various opens else the computer complains.

    regs,
    malvin

  • 🐧 nixCraft Feb 10, 2007 @ 8:41

    Nalvin,

    I’ve updated code. Thanks for heads up.

  • obi Sep 3, 2010 @ 16:33

    Great article, just what I needed.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.