newsNews: Article: How can I certify or check the authenticity of stored files ?

Show feedback again
Latest News
mail subsystem upgraded posted by beuc, Sat 23 May 2015 06:17:18 PM UTC - 0 replies
dl/home/cvs/svn/ upgraded to debian8 posted by beuc, Thu 21 May 2015 10:12:23 PM UTC - 0 replies SSL certificate renewed posted by zerodeux, Thu 24 Apr 2014 07:13:06 AM UTC - 2 replies
Heartbleed status and measures posted by beuc, Wed 09 Apr 2014 09:47:29 AM UTC - 0 replies
mail subsystem automatically reinstalled posted by beuc, Sat 08 Mar 2014 11:02:17 PM UTC - 0 replies
[124 news in archive]

Article: How can I certify or check the authenticity of stored files ?

Item posted by Mathieu Roy <yeupou> on Mon 10 May 2004 10:27:34 AM UTC.

How can I certify or check the authenticity of stored files ?

To check the authenticity of a file, one of the best tools currently available is GPG. We will not describe here what is GnuPG and how it works: if you are looking for that information, check the GnuPG documentation.

    • How can I check the authenticity of a file using GnuPG [for everybody]

You can use GnuPG to check the authenticity of a file only if this file has been signed with GnuPG in first place.

Download the file you are interested in and its signature. The signature is usually named after the file with a .sig. For instance, at , you can download savane-1.0.2.tar.gz (the file) and savane-1.0.2.tar.gz.sig (the signature).

Use GnuPG to compare the files:
gpg --verify savane-1.0.2.tar.gz.sig

If it says that the relevant public key is not found, you must import the public key of the person that signed the file. We recommend that developers give this information in their download area. For instance, this is mentioned at , in a section called GPG Signature. You can search and import a key by typing:
gpg --search-keys name_of_the_person_that_signed_the_file

If it says the signature is correct, the authenticity of the file is confirmed. Indeed, the signature should belong to a member of the project.

    • How can I sign a file using GnuPG [for developers]

Users can only check authenticity of files if these files are signed by their(s) author(s). So it is important that developers sign their package, especially software release tarballs.

Obviously, you need our own gpg key to sign files. We will not describe here how to create a such key: please read the GnuPG documentation.

The best is to create a "detached" signature (a signature as separate file, not appended to the original file). You can do that by typing:
gpg --detach myfile

When it is done, you can upload both the file and the signature.

You should make sure that your public key is available to users by sending it to key server:
gpg --send-key

You should make sure users can import with ease your gpg-key on the key server. To do so, you can mention an accurate search string in a file called README.html, stored in the same directory than the signed files, like

(This article has been added as FAQ entry)


Message: 126
GPG fingerprints (posted by dylanwh, Mon 10 May 2004 02:40:39 AM UTC)

It can be quite useful to put your
GPG fingerprint in your ~/.signature file,
having it propagate to all the mailing lists you frequent.

Thread Author Date
GPG fingerprintsdylanwhMon 10 May 2004 02:40:39 AM UTC


Post a followup to this message

You could post if you were logged in
Show feedback again

Back to the top

Powered by Savane 3.1-cleanup