Signing files is a way to ensure that the message/texts/emails are from the right sender and its content has not been tempered with. Gpg -out decrypted.txt -decrypt encrypted_file.txt Signing Email or body of textsĪlternatively, you can chose to sign emails/texts instead of encrypting them. Files encrypted with private key can only be decrypted with public key and vice-versa. Gpg -out encrypted_file.txt -encrypt original_file.txt The command that can be used to encrypt file is : You can use GPG to encrypt files, it can be only decrypted by those who have your public-key. The application will ask you to enter your ID and passphrase, make sure you choose a strong passphrase to guarantee the safety and security of your keys. To use GPG, you need to generate the public-key/private-key pairs in your computer by running this command, and choose the default option You can use GPG to encrypt, decrypt, sign and verify files or emails.
Then substitute “ gpg” with “ C:\Program Files\Gnu\GnuPg\gpg.exe” in the four commands above.GPG or the GNU Privacy Guard is a free and open source software that implements OpenPGP public-key cryptography message format ( RFC4880).
Windows users can download and install GPG (Gpg4win) from here: It can be used to encrypt, decrypt, and sign files, to verify signatures and to manage the private and public keys. The GNU Privacy Assistant (GPA) is a graphical user interface for the GNU Privacy Guard (GnuPG). You can verify the AECF1D2F key does indeed belong to a Peppermint developer by going to the Peppermint team members page on Launchpad and clicking on Mark-pcnetspec where you should see the key listed under OpenPGP keys.Ī graphical method for verifying the signatures in Linux would be to install the gpa package.
If it doesn’t contain that line, or instead states “BAD signature”, the ISO image is corrupt and should be discarded. If it contains that line the ISO has been verified as intact and unaltered. Primary key fingerprint: 4A9F 9066 13AF ABED CFA3 92C2 E499 FD0B AECF 1D2FĪnd contain the line:- gpg: Good signature from "Mark Greaves (PCNetSpec) " Gpg: There is no indication that the signature belongs to the owner.
Gpg: WARNING: This key is not certified with a trusted signature! Gpg: Good signature from "Mark Greaves (PCNetSpec) " The output will be similar to:- gpg: Signature made Thu 02:33:19 BST using RSA key ID AECF1D2F (remember to change the above file names if you’re checking a different version of Peppermint against its corresponding signature file) Now you can verify the ISO image against the GPG signature file, by running: gpg -verify Peppermint-10-20191210-amd64.iso Key fingerprint = 4A9F 9066 13AF ABED CFA3 92C2 E499 FD0B AECF 1D2F Which should return:- pub 2048R/AECF1D2F Next, verify the key by running: gpg -fingerprint AECF1D2F Gpg: key AECF1D2F: public key "Mark Greaves (PCNetSpec) " imported Gpg: /home/ /.gnupg/trustdb.gpg: trustdb created Which should result in:- gpg: requesting key AECF1D2F from hkp server If it’s not listed, run: gpg -keyserver -recv-keys AECF1D2F so if you had placed both files into your ‘Home’ directory, run: cd ~įirst you’ll need to check if you already have our GPG key, so run: gpg -list-keys Open a terminal, and ‘cd’ (change directory) into that directory. Place both the Peppermint-10-20191210-amd64.iso and the file in the same directory. if you’re checking another Peppermint version, please adjust the commands accordingly. In this EXAMPLE we’re going you verify the Peppermint 10 64bit ISO image (Peppermint-10-20191210-amd64.iso) against its GPG signature file (). Once you have downloaded the ISO file, you’ll also need to download its corresponding GPG signature file, links to these can be found next to the ISO download links and at the bottom of this page.
How to verify a Peppermint ISO image against its GPG signature file Even if someone were to hack into a website and upload a modified ISO image, and change the MD5sum being shown so it appeared to check out okay, the ISO would not verify correctly against its corresponding GPG key. This is where GPG signatures come in, checking the downloaded ISO against its signature file will verify the ISO hasn’t been tampered with. MD5sums are a simple method of checking the integrity of a downloaded ISO file to see if it is corrupt, but they provide no trusted method for checking the ISO hasn’t been tampered with in some way and you’ve been given a false MD5sum to check it against.