Skip to content

How to Verify a GPG Signature

DodaTech Updated 2026-06-24 2 min read

Verifying GPG signatures confirms the authenticity and integrity of signed files. This guide walks through the specific troubleshooting steps to diagnose and resolve GPG signature verification issues.

Before You Begin

Before you begin, be sure to have the following in place:

  • A Linux server with the relevant software installed
  • Access to the command line interface
  • Appropriate permissions (root or sudo)

Quick Fix

Wrong

gpg --verify file.txt.asc

Wrong: Verifying without providing the original file

gpg --verify file.txt.asc file.txt

Right: Verifying detached signature against the original file

Output

gpg: Signature made Mon Jun 24 12:00:00 2026 UTC\ngpg: Good signature from "Alice Smith <alice@example.com>"

Prevention

To avoid future issues, follow these best practices:

  • Provide both the signature file and the original file for detached signature verification
  • Import the signer public key before attempting verification
  • Check that the fingerprint matches the expected signer
  • Set appropriate trust on imported keys
  • Use --status-fd 1 for machine-readable output

DodaTech Tools

For further assistance with any of the above issues, consider using DodaTech consulting services or DodaTech tutorials for more in-depth guidance.

Common Mistakes with verify sign

  1. Mixing let bindings with <- bindings in do notation, producing type errors
  2. Overlapping type class instances that cause GHC to reject the program with ambiguous dispatch errors
  3. Non-exhaustive pattern matches that compile with warnings then crash at runtime

These mistakes appear frequently in real-world GPG code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

What does Good signature mean in GPG output?|||The signature is cryptographically valid -- the file was signed by the corresponding private key and has not been modified. It does not mean you should trust the signer.
Why does GPG say untrusted even with a good signature? The signature is valid but you have not set a trust level on the signer key. Run gpg --edit-key KEYID trust to assign trust.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro