How to Verify a GPG Signature
In this tutorial, you'll learn about How to Verify a GPG Signature. We cover key concepts, practical examples, and best practices.
The Problem
You downloaded a file or received a Git commit with a GPG signature and need to verify the authenticity. Signature verification fails with gpg: Can't check signature: No public key or gpg: BAD signature. Without verification, you cannot trust the source of the file or commit.
Quick Fix
Step 1: Import the Signer's Public Key
gpg --keyserver keyserver.ubuntu.com --recv-keys ABC12345
# gpg: key ABC12345: public key "Developer Name <dev@example.com>" imported
# gpg: Total number processed: 1
# gpg: imported: 1
Step 2: Verify a Detached Signature
WRONG — verifying without downloading the .asc file:
gpg --verify file.txt
# gpg: no signed data
RIGHT — verify the detached signature against the file:
gpg --verify file.txt.asc file.txt
# gpg: Signature made Thu Jun 24 12:00:00 2026 UTC
# gpg: using RSA key ABC12345
# gpg: Good signature from "Developer Name <dev@example.com>"
# Primary key fingerprint: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Step 3: Verify a Signed File (Inline Signature)
gpg --verify signed-file.gpg
# gpg: Signature made Thu Jun 24 12:00:00 2026 UTC
# gpg: using RSA key ABC12345
# gpg: Good signature from "Developer Name <dev@example.com>"
Step 4: Verify a Git Commit
git log --show-signature -1
# commit abc123def456...
# gpg: Signature made Thu Jun 24 12:00:00 2026 UTC
# gpg: using RSA key ABC12345
# gpg: Good signature from "Developer Name <dev@example.com>"
WRONG — ignoring the trust warning:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
This warning means you have not signed the key yourself. It does not mean the signature is invalid.
RIGHT — verify the fingerprint out-of-band, then sign the key:
gpg --sign-key ABC12345
Step 5: Check Signature Trust Level
gpg --check-sigs ABC12345
# sig! ABC12345 2024-06-24 Developer Name <dev@example.com>
# (sig! means a good signature with a trusted key)
Step 6: Decrypt and Verify Simultaneously
gpg --decrypt encrypted-and-signed.gpg
# gpg: Signature made Thu Jun 24 12:00:00 2026 UTC
# gpg: Good signature from "Developer Name <dev@example.com>"
# (file contents)
Use DodaTech's Integrity Checker to automate GPG signature verification in your CI/CD pipeline, blocking unsigned or mismatched artifacts from reaching production.
Prevention
- Always verify signatures before installing downloaded software.
- Import the signer's public key from a trusted keyserver.
- Verify the key fingerprint through a separate communication channel.
- Sign the key locally after confirming the owner's identity.
- Automate signature checks in CI/CD with a trusted keyring.
Common Mistakes with signature verify
- Forgetting
deriving (Show, Eq)on custom data types needed for debugging - Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable
- Using
headandtailinstead of pattern matching, causing runtime errors on empty lists
These mistakes appear frequently in real-world GPG code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.
Practice Exercise
Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.
This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro