How to verify the downloaded GPG Suite?

Verify SHA256 checksum

This method can be used if you do not have gpg installed yet.

  1. download GPG Suite from https://gpgtools.org
  2. open Terminal.app
  3. write shasum -a 256
  4. add a space and then drag the GPG Suite dmg file into the terminal
  5. press enter

The SHA256 checksum shown must match the SHA256 checksum from our website. The following is an example of what the output will look like - it is not the actual checksum for the GPG Suite you are verifying!
2bb29067e7f2705a51b22f23080ca767bba4735ce16711a7d950e582737e8aaf /Users/UserName/Downloads/GPG_Suite-2016.12b1.dmg

Verify SHA1 checksum

This method can be used if you do not have gpg installed yet.

  1. download GPG Suite from https://gpgtools.org
  2. open Terminal.app
  3. write shasum
  4. add a space and then drag the GPG Suite dmg file into the terminal
  5. press enter

The SHA1 checksum shown must match the SHA1 checksum from our website. The following is an example of what the output will look like - it is not the actual checksum for the GPG Suite you are verifying!

ac7a636bfee1027d8f43a12a82eea54e7566dcb8 /Users/UserName/Downloads/GPG Suite - 2013.10.22.dmg

Verify signature

This method can be used if gpg is already installed on your system.

We sign each release with our team key. To verify the signature

  1. download the GPG Suite .dmg file and
  2. the gpg signature file from https://gpgtools.org
  3. click this link to display our public key in your browser. Press cmd + A to select all, then copy / paste that information into your GPG Keychain main window - that will import our public key.
  4. make sure that dmg and sig file both are located in the same folder
  5. right-click signature or dmg file and select Services > OpenPGP: Verify Signature of File

If everything is ok the verification result will look like this:

gpgs_verify_result_GPG_Suite.png

Verify signature of any downloaded file (gpg installed)

  1. download file you want to verify and
  2. the according gpg signature file
  3. import the public key, of the person you assume has created the signature file, into GPG Keychain
  4. Important: It is highly recommended, to verify the fingerprint of that key with e.g. the developer to ensure you are using the correct public key (open GPG Keychain, double click public key file and you'll find the fingerprint)

  5. make sure that both signature file and file you want to verify are located in the same folder
  6. right-click signature or dmg file and select Services > OpenPGP: Verify Signature of File

If everything is ok the verification result will look similar to this (in this example a downloaded tails.iso file has successfully been verified):

gpgs_verify_result_Tails.png