s83/privacy-guides
1
0
Fork 0
mirror of https://github.com/sunknudsen/privacy-guides.git synced 2025-02-23 01:03:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
privacy-guides/how-to-verify-pgp-digital-signatures-using-gnupg-on-macos/README.md
Sun Knudsen bb22249c1e
Sourced ~/.zshrc on arm64
2021-11-05 09:37:23 -04:00

4.6 KiB
Raw Blame History

How to verify PGP digital signatures using GnuPG on macOS

How to verify PGP digital signatures using GnuPG on macOS

Requirements

  • Computer running macOS Catalina or Big Sur

Caveats

  • When copy/pasting commands that start with $, strip out $ as this character is not part of the command

Setup guide

Step 1: install Homebrew

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
uname -m | grep arm64 && echo 'export PATH=$PATH:/opt/homebrew/bin' >> ~/.zshrc && source ~/.zshrc

Step 2: disable Homebrew analytics

brew analytics off

Step 3: install GnuPG

brew install gnupg

👍

Usage guide

Import signers public key using key server…

Heads-up: replace 0xC1323A377DE14C8B with signers public key ID.

$ gpg --keyserver hkps://keys.openpgp.org --recv-keys 0xC1323A377DE14C8B
gpg: key 0xC1323A377DE14C8B: public key "Sun Knudsen <hello@sunknudsen.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

imported: 1

👍

…or using public key URL

Heads-up: replace https://sunknudsen.com/sunknudsen.asc with signers public key URL.

$ curl https://sunknudsen.com/sunknudsen.asc | gpg --import
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  6896  100  6896    0     0  11589      0 --:--:-- --:--:-- --:--:-- 11570
gpg: key 0xC1323A377DE14C8B: public key "Sun Knudsen <hello@sunknudsen.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

imported: 1

👍

Verify signers public key using fingerprint

Heads-up: replace hello@sunknudsen.com with signers email and use published fingerprints or web of trust to verify signers fingerprint (see example).

$ gpg --fingerprint hello@sunknudsen.com
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   rsa4096 2019-10-17 [C]
      C4FB DDC1 6A26 2672 920D  0A0F C132 3A37 7DE1 4C8B
uid           [ unknown] Sun Knudsen <hello@sunknudsen.com>
sub   rsa4096 2019-10-17 [E] [expires: 2021-10-25]
sub   rsa4096 2019-10-17 [A] [expires: 2021-10-25]
sub   rsa4096 2019-10-17 [S] [expires: 2021-10-25]

Verify signed message

$ gpg --verify donate-bitcoin.asc
gpg: Signature made Sun  7 Mar 14:58:01 2021 EST
gpg:                using RSA key A98CCD122243655B26FAFB611FA767862BBD1305
gpg: Good signature from "Sun Knudsen <hello@sunknudsen.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C4FB DDC1 6A26 2672 920D  0A0F C132 3A37 7DE1 4C8B
     Subkey fingerprint: A98C CD12 2243 655B 26FA  FB61 1FA7 6786 2BBD 1305

Good signature

👍

Verify signed file using detached signature

$ gpg --verify app-cleaner.sh.sig
gpg: assuming signed data in 'app-cleaner.sh'
gpg: Signature made Wed 17 Mar 09:57:42 2021 EDT
gpg:                using RSA key A98CCD122243655B26FAFB611FA767862BBD1305
gpg: Good signature from "Sun Knudsen <hello@sunknudsen.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: C4FB DDC1 6A26 2672 920D  0A0F C132 3A37 7DE1 4C8B
     Subkey fingerprint: A98C CD12 2243 655B 26FA  FB61 1FA7 6786 2BBD 1305

Good signature

👍