Skip to content

Instantly share code, notes, and snippets.

Last active August 29, 2015 14:18
What would you like to do?

Verifying GPG Tools using GPG Tools

To be clear, I'm not an expert on security. If your life or livelihood depends on secure communications, please be sure to explore trusted resources published by experts.

From what I understand, one should use this method only if you're running an existing version of GPG Tools that you trust. Here are the steps I took:

  • Went to and downloaded the latest version

  • Clicked on the link for the "please download and import our updated key"

  • Got a big screen of scramble, and copied the URL from the browser window

  • In Terminal, I used that URL to import the key:

    curl -0 | gpg --import

  • Then I listed the keys on my keyring, with their fingerprints ...

    gpg --list-keys --fingerprint

  • I see that the GPG Tools key is in my keyring, and that the key fingerprint listed matches the one currently at the bottom of the web page.

  pub   2048D/00D026C4 2010-08-19 [expires: 2018-08-19]
        Key fingerprint = 85E3 8F69 046B 44C1 EC9F  B07B 76D7 8F05 00D0 26C4
  uid       [ultimate] GPGTools Team <>
  uid       [ultimate] GPGMail Project Team (Official OpenPGP Key) <>
  uid       [ultimate] GPGTools Project Team (Official OpenPGP Key) <>
  uid       [ultimate] [jpeg image of size 5871]
  • I download the GPG signature, using the "Download GPG Signature" link on that page

  • I then check the signature file (ends in .sig) against the original downloaded file (ends in .dmg)

    gpg --verify GPG_Suite-2015.03-b6.dmg.sig GPG_Suite-2015.03-b6.dmg

  • And I got confirmation I'm good.

    gpg: Good signature from "GPGTools Team <>" [ultimate]

This method also works for other signed software, such as OnionShare.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment