I classify files available for download on the internet as the following:
- Respectable providers ship download files with signatures;
- Less respectable providers ship with checksums;
- Unrespectable providers ship only the download file.
The most popular way of digitally signing a file is using a private key in the realm of the web of trust. To get started, you can use the GNU Privacy Guard free software. If you don't have it on your Mac, you can install the Mac version. I've downloaded the dmg of version 1.4.8 and it worked like a charm.
After installing the GNU Privacy Guard, a command "gpg" is available to you in /usr/local/bin as well as some other utility programs. You can open a terminal and use
$ gpg --verify foo.tar.gz.sigto verify that the file foo.tar.gz matches with the signature file foo.tar.gz.sig. You can verify multiple files at once by
$ gpg --verify-files *.sigto verify the integrity of files. Read the manual ("man gpg") for more details.
Oops, an error!If you see a message like
gpg: Signature made Wed Dec 13 05:02:10 2006 CST using DSA key ID 64EA74ABfrom "gpg --verify", it means that the public key of the signer is not in your GPG keyring. Just load the public key of the signer to your keyring and off you go. The following is how I do it, your mileage may vary.
gpg: Can't check signature: public key not found
The longer route:
- Go to http://pgp.mit.edu/, a popular public key server.
- Type the key ID in the search box. Remember to add "0x" in front of the 8-character hex key ID. For the example above, I typed "0x64EA74AB".
- If all goes well, you'll see a search result page listing one or more keys. Click on the key ID that matches to your input. Other keys belong to people that "vouch" for the key you searched.
- The key server should then show you the public key of the key ID. Copy and paste the plain texts between "-----BEGIN PGP PUBLIC KEY BLOCK-----" and "-----END PGP PUBLIC KEY BLOCK-----" to a file on your computer, with these 2 lines included. Let's call the file "foo.txt".
- Now import this key into your GPG keyring:
$ gpg --import foo.txt
$ gpg --recv-keys 0x64EA74ABNow you have the public key of the signer in your keyring, you can verify the files signed by him/her using "gpg --verify".