Skip to content

How to Verify a GPG Signature

DodaTech Updated 2026-06-24 3 min read

In this tutorial, you'll learn about How to Verify a GPG Signature. We cover key concepts, practical examples, and best practices.

The Problem

You downloaded a file or received a Git commit with a GPG signature and need to verify the authenticity. Signature verification fails with gpg: Can't check signature: No public key or gpg: BAD signature. Without verification, you cannot trust the source of the file or commit.

Quick Fix

Step 1: Import the Signer's Public Key

gpg --keyserver keyserver.ubuntu.com --recv-keys ABC12345
# gpg: key ABC12345: public key "Developer Name <dev@example.com>" imported
# gpg: Total number processed: 1
# gpg:               imported: 1

Step 2: Verify a Detached Signature

WRONG — verifying without downloading the .asc file:

gpg --verify file.txt
# gpg: no signed data

RIGHT — verify the detached signature against the file:

gpg --verify file.txt.asc file.txt
# gpg: Signature made Thu Jun 24 12:00:00 2026 UTC
# gpg:                using RSA key ABC12345
# gpg: Good signature from "Developer Name <dev@example.com>"
# Primary key fingerprint: XXXX XXXX XXXX XXXX XXXX  XXXX XXXX XXXX XXXX XXXX

Step 3: Verify a Signed File (Inline Signature)

gpg --verify signed-file.gpg
# gpg: Signature made Thu Jun 24 12:00:00 2026 UTC
# gpg:                using RSA key ABC12345
# gpg: Good signature from "Developer Name <dev@example.com>"

Step 4: Verify a Git Commit

git log --show-signature -1
# commit abc123def456...
# gpg: Signature made Thu Jun 24 12:00:00 2026 UTC
# gpg:                using RSA key ABC12345
# gpg: Good signature from "Developer Name <dev@example.com>"

WRONG — ignoring the trust warning:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

This warning means you have not signed the key yourself. It does not mean the signature is invalid.

RIGHT — verify the fingerprint out-of-band, then sign the key:

gpg --sign-key ABC12345

Step 5: Check Signature Trust Level

gpg --check-sigs ABC12345
# sig!    ABC12345 2024-06-24  Developer Name <dev@example.com>
# (sig! means a good signature with a trusted key)

Step 6: Decrypt and Verify Simultaneously

gpg --decrypt encrypted-and-signed.gpg
# gpg: Signature made Thu Jun 24 12:00:00 2026 UTC
# gpg: Good signature from "Developer Name <dev@example.com>"
# (file contents)

Use DodaTech's Integrity Checker to automate GPG signature verification in your CI/CD pipeline, blocking unsigned or mismatched artifacts from reaching production.

Prevention

  • Always verify signatures before installing downloaded software.
  • Import the signer's public key from a trusted keyserver.
  • Verify the key fingerprint through a separate communication channel.
  • Sign the key locally after confirming the owner's identity.
  • Automate signature checks in CI/CD with a trusted keyring.

Common Mistakes with signature verify

  1. Forgetting deriving (Show, Eq) on custom data types needed for debugging
  2. Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable
  3. Using head and tail instead of pattern matching, causing runtime errors on empty lists

These mistakes appear frequently in real-world GPG code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### What does "gpg: BAD signature" mean?

The signature does not match the file content. Either the file was tampered with after signing, the signature is from a different file, or the wrong public key was used. Do not trust the file — re-download from the official source.

Why do I see "Can't check signature: No public key"?

You need to import the signer's public key first. Find the key ID (usually shown in the error message) and import it with gpg --recv-keys KEYID from a keyserver.

Is a "Good signature" enough to trust a file?

Not entirely. A good signature only proves the file was signed by the corresponding private key. You still need to verify that the public key belongs to the claimed identity by checking the fingerprint through a trusted channel.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro