A time came when before clicking to download a software to install on machine, the hint message might tell you "After download you must check the GPG signature."
That might be a little bit of scary. But that's a must if that certain kind of software you're going to install is network-based and you will be using it almost all the time.
So let's see how can we verify such GPG signature.
In this case, we're going to use
gpg application to do the work for us for an example to install ShadowsockX macOS client. Let's go down to step by step.
- Install GPG via
brew install gpgon macOS.
- If you want to verify such GPG signature from unknown source but you trust them, usually you need to import their public GPG key. Go to grab their public key.
- Save their public key into file and name it
gpg --import key.sig. Assume that you are at the location of the file.
- Now you're ready to verify GPG signature. Download its GPG signature of the target file you want to download. It's here. Download it as
gpg --verify verify.sig ShadowsockX-NG-R8.dmg
Remember to start with signature file first, before the name of target file to verify.
- That's it. If verification goes well, you should see output similar to this
gpg: Signature made Sat Dec 24 10:27:07 2016 CST using RSA key ID 73EB5E11 gpg: Good signature from "YuhangQin (Sign SSR-NG-R) <firstname.lastname@example.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: AAAA BBBB CCCC DDDD 00C6 3326 2A45 A972 73EB 5E11