File verification with GnuPG

To ensure the files you downloaded from me are not tampered by the evil, you can use GnuPG to verify it.

Here are some simple steps for you to follow:

1. Import public key

  • Import manually:

    Download my public key and then import it to gpg:

    gpg --import public.asc
    
  • Or you can get it via keyserver:
    gpg --keyserver hkp://keys.gnupg.net --recv-keys F5380EA79A2C21C3687500B6BB350F9E0D2B1137
    
  • More information on key server: link

2. Verify key fingerprint

Run

gpg --fingerprint Chocobo1@users.noreply.github.com

Make sure the printed fingerprint on your screen match with the following:

F538 0EA7 9A2C 21C3 6875  00B6 BB35 0F9E 0D2B 1137

3. File verification

Let’s assume you downloaded abc.exe and wish to verify it.

Before verification, you must also download the accompany signature file abc.exe.sig (or abc.exe.asc). Put it in the same directory as abc.exe.

Then run:

gpg --verify abc.exe.sig  # or abc.exe.asc

If the files are NOT tampered, you should see the following:

gpg: Good signature from "Chocobo1 <Chocobo1@users.noreply.github.com>"

Verification FAILED example:

gpg: BAD signature from "Chocobo1 <Chocobo1@users.noreply.github.com>"


Updated on August 5, 2017