PGP Signature

I have started to distribute software with GnuPG-produced digital signatures to help prove the authenticity of the software. If you want to verify the digital signature of a file such as jed-0.99.18.tar.gz, then also download the associated detached signature file, which in this example would be jed-0.99.18.tar.gz.sig and execute the following command:

    # gpg --verify jed-0.99.18.tar.gz.sig jed-0.99.18.tar.gz

You should see something like:

gpg: Signature made Sun 05 Feb 2006 03:48:47 PM EST using DSA key ID 5873000A
gpg: Good signature from "John E. Davis <davis@space.mit.edu>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: AE96 2A02 D29B FE4A 4BB2  805F DE40 1E0D 5873 000A

You should not be alarmed if you see the warning message. This just indicates that you have not taken steps to ensure the authenticity of of my signature. Note that the key's fingerprint must match the my public key's fingerprint, which is given below. If you see a message such as:

gpg: Signature made Sun 05 Feb 2006 03:48:47 PM EST using DSA key ID 5873000A
gpg: Can't check signature: public key not found

then you will first need to obtain my public key and add it to your keyring. My public key may be obtained by downloading the ascii file jedavis_public_key.asc. To add it to your keyring, use

    gpg --import jedavis_public_key.asc

and then verify that its fingerprint is

    AE96 2A02 D29B FE4A 4BB2  805F DE40 1E0D 5873 000A

by running

    gpg --fingerprint 0x5873000A

This page was last updated Mar 11, 2013 by John E. Davis.
To comment on it or the material presented here, send email to jed at jedsoft org.