To verify the PGP signature of a tarball file in UNIX/Linux, you can follow these steps:
- Download both the tarball and the PGP signature file from the source.
- Import the signer’s public key into your keyring. For example, if the signer’s key is available on a keyserver, you can import it using the following command:
gpg --recv-keys KEYID
Replace
KEYIDwith the ID of the signer’s public key. - Verify the signature of the tarball using the following command:
gpg --verify TARFILE.asc TARFILE
Replace
TARFILE.ascwith the filename of the PGP signature file andTARFILEwith the filename of the tarball. The--verifyoption tellsgpgto verify the signature of the tarball.If the signature is valid,
gpgwill output a message indicating that the signature is good and that the file was signed by the signer’s key.If the signature is not valid,
gpgwill output a message indicating that the signature is bad, and you should not trust the tarball.If
gpgreports that the public key is not found, it means that the key is not in your keyring, and you should import it using step 2.If
gpgreports that the signature is good but with a warning such as “The key is not certified with a trusted signature,” it means that the signature is valid, but the signer’s key is not trusted. In this case, you may want to verify the key’s fingerprint and trust it manually using thegpg --edit-keycommand.
By verifying the PGP signature of a tarball file, you can ensure that the file was not tampered with during transfer and that it was actually signed by the person or organization claiming to have signed it.