s83/privacy-guides
1
0
Fork 0
mirror of https://github.com/sunknudsen/privacy-guides.git synced 2025-02-23 09:13:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
privacy-guides/how-to-verify-pgp-digital-signatures-using-gnupg-on-macos/README.md

134 lines
4.6 KiB
Markdown
Raw Normal View History

Added digital signature verification guide
2021-03-25 06:39:21 -04:00
<!--
Title: How to verify PGP digital signatures using GnuPG on macOS
Description: Learn how to verify PGP digital signatures using GnuPG on macOS.
Author: Sun Knudsen <https://github.com/sunknudsen>
Contributors: Sun Knudsen <https://github.com/sunknudsen>
Reviewers:
Publication date: 2021-03-24T12:40:31.074Z
Listed: true
-->
# How to verify PGP digital signatures using GnuPG on macOS
Added thumbnail to digital signature verification guide
2021-03-25 16:01:50 -04:00
[![How to verify PGP digital signatures using GnuPG on macOS](how-to-verify-pgp-digital-signatures-using-gnupg-on-macos.png)](https://www.youtube.com/watch?v=WnNfunEJdQY "How to verify PGP digital signatures using GnuPG on macOS")
Deprecated macOS Mojave and added Big Sur/M1 support
2021-11-05 09:07:15 -04:00
## Requirements
- Computer running macOS Catalina or Big Sur
Added digital signature verification guide
2021-03-25 06:39:21 -04:00
## Caveats
- When copy/pasting commands that start with `$`, strip out `$` as this character is not part of the command
## Setup guide
### Step 1: install [Homebrew](https://brew.sh/)
```shell
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
Sourced ~/.zshrc on arm64
2021-11-05 09:37:23 -04:00
uname -m | grep arm64 && echo 'export PATH=$PATH:/opt/homebrew/bin' >> ~/.zshrc && source ~/.zshrc
Added digital signature verification guide
2021-03-25 06:39:21 -04:00
```
### Step 2: disable Homebrew analytics
```shell
brew analytics off
```
### Step 3: install [GnuPG](https://gnupg.org/)
```shell
brew install gnupg
```
👍
---
## Usage guide
Fixed typo
2021-03-25 15:57:46 -04:00
### Import signers public key using key server…
Added digital signature verification guide
2021-03-25 06:39:21 -04:00
> Heads-up: replace `0xC1323A377DE14C8B` with signers public key ID.
```console
$ gpg --keyserver hkps://keys.openpgp.org --recv-keys 0xC1323A377DE14C8B
gpg: key 0xC1323A377DE14C8B: public key "Sun Knudsen <hello@sunknudsen.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
```
imported: 1
👍
### …or using public key URL
> Heads-up: replace `https://sunknudsen.com/sunknudsen.asc` with signers public key URL.
```console
$ curl https://sunknudsen.com/sunknudsen.asc | gpg --import
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6896 100 6896 0 0 11589 0 --:--:-- --:--:-- --:--:-- 11570
gpg: key 0xC1323A377DE14C8B: public key "Sun Knudsen <hello@sunknudsen.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
```
imported: 1
👍
### Verify signers public key using fingerprint
> Heads-up: replace `hello@sunknudsen.com` with signers email and use published fingerprints or web of trust to verify signers fingerprint (see [example](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint)).
```console
$ gpg --fingerprint hello@sunknudsen.com
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub rsa4096 2019-10-17 [C]
C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B
uid [ unknown] Sun Knudsen <hello@sunknudsen.com>
sub rsa4096 2019-10-17 [E] [expires: 2021-10-25]
sub rsa4096 2019-10-17 [A] [expires: 2021-10-25]
sub rsa4096 2019-10-17 [S] [expires: 2021-10-25]
```
### Verify [signed message](https://sunknudsen.com/static/media/cms/donate/donate-bitcoin.asc)
```console
$ gpg --verify donate-bitcoin.asc
gpg: Signature made Sun 7 Mar 14:58:01 2021 EST
gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305
gpg: Good signature from "Sun Knudsen <hello@sunknudsen.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B
Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305
```
Good signature
👍
### Verify signed [file](https://sunknudsen.com/static/media/privacy-guides/how-to-clean-uninstall-macos-apps-using-appcleaner-open-source-alternative/app-cleaner.sh) using [detached signature](https://sunknudsen.com/static/media/privacy-guides/how-to-clean-uninstall-macos-apps-using-appcleaner-open-source-alternative/app-cleaner.sh.sig)
```console
$ gpg --verify app-cleaner.sh.sig
gpg: assuming signed data in 'app-cleaner.sh'
gpg: Signature made Wed 17 Mar 09:57:42 2021 EDT
gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305
gpg: Good signature from "Sun Knudsen <hello@sunknudsen.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B
Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305
```
Good signature
👍
Reference in New Issue Copy Permalink