PGP Tool

Learn · 5 min read · 2026-02-15

How to verify a PGP signature, and why you should

A signature on a release file is only useful if you actually check it. Here is the 30-second workflow, and what each step is really proving.

You downloaded a binary, the developer published a .asc signature next to it, and now what? Most people do nothing. The few who verify catch supply-chain attacks before they execute compromised code.

What a signature actually proves

A valid PGP signature proves two things: (1) the file has not been altered since it was signed, and (2) it was signed by someone holding the private key whose public counterpart you used to verify. It does not prove the signer is honest, or that the public key you are using is theirs.

That second clause matters. If an attacker swaps the published file AND publishes their own public key alongside it, the signature will verify perfectly — against the wrong key. The only defence is establishing the signer's key out of band: a published fingerprint on a different domain, a transparency log, a key server lookup, or an in-person exchange.

The verification workflow

  1. Download the file and the signature (typically file.tar.gz and file.tar.gz.asc).
  2. Get the signer's public key. Prefer a source unrelated to the binary — a keyserver, a printed fingerprint at a conference, or a public profile on a different domain.
  3. Open the Verify tool and paste the signature, the original file, and the public key.
  4. Confirm the verification result shows "Valid signature" with the expected signer.
  5. Cross-check the public key fingerprint against the source you trust.

Detached vs clearsign vs encrypted-and-signed

  • Detached signature — the .asc lives in a separate file. Used for binaries, archives, large blobs.
  • Clearsigned message — the signed text and the signature are both in the same .asc, with the original text in plain view. Used for emails and announcements.
  • Encrypted+signed — the message is both encrypted to the recipient and signed by the sender. Decrypt first, then verify the inner signature.

Common mistakes

  • Verifying with a public key downloaded from the same place as the binary — defeats the purpose.
  • Ignoring "good signature, but key not certified" warnings without checking the fingerprint.
  • Re-saving the file before verification — line ending changes break detached signatures.