How can I verify signed files like Tor Installer with additional sig file?

0J's Avatar


19 Nov, 2019 08:37 AM

I'm missing one very important "how to". Maybe it is buried somewhere and cannot find it...

I want to use GPG Tools just to verify the signature of a downloaded .dmg installer.
For example the Tor installer is signed only with PGP, unfortunately for me no checksum.

Anyone to give me a link please? Thanx

  1. Support Staff 1 Posted by Steve on 20 Nov, 2019 01:50 PM

    Steve's Avatar

    Hi 0J,

    welcome to the GPGTools support platform. Sorry you are having problems using GPG Suite.

    This KB-article explains how to verify signed files.

    Let me know if you have more questions or need further assistance after going through that KB.

    All the best,

  2. 2 Posted by 0J on 20 Nov, 2019 05:58 PM

    0J's Avatar

    Hello Steve,
    thank you very much for help!

  3. Steve closed this discussion on 20 Nov, 2019 06:00 PM.

  4. OJ re-opened this discussion on 21 Nov, 2019 09:47 AM

  5. 3 Posted by OJ on 21 Nov, 2019 09:47 AM

    OJ's Avatar

    Hello Steve,
    something is wrong, maybe I'm wrong :-)

    I tried to paste from clipboard the PGP Signature


    /HU5w4F8s5v+sF/F4erz09nAgCMiE03E46430yCIT/RZ24d+teHWRLsuwAKIxlr7 4zm62xxMwQIXRXFO38aKsSa7Jr1Z0snSGp68rDns0I+GgjUTW3tQL4kN7SiIcTKi
    =KLK6 -----END PGP SIGNATURE-----

    and get the answer that this is not a signature and the same message from a .txt file I created..

    Some more help please?

  6. Support Staff 4 Posted by Steve on 21 Nov, 2019 10:30 PM

    Steve's Avatar

    Can you please list the steps you took to create the signature and then the steps you took to verify.

  7. 5 Posted by OJ on 22 Nov, 2019 08:37 AM

    OJ's Avatar

    Hello Steve,
    First I have to mention that this is not an installer file signature, it is a canary signature.

    1. I copied the signature and pasted in to the PGP app window - the answer was Not an valid signature.

    2. I created an .txt file with the content of the signature and pulled the closed file into the PGP app window. Same answer as in step 1.

    Thank you

  8. Support Staff 6 Posted by Steve on 22 Nov, 2019 09:20 AM

    Steve's Avatar

    Can you link to the age with the canary signature so we can try to reproduce why the verification is not working for you.

    And please also attach the txt file you created again so that we can reproduce the issue and see what is going wrong.

  9. 7 Posted by OJ on 22 Nov, 2019 11:45 AM

    OJ's Avatar

    here is the link: and attached the txt file.

    Thank you for support Steve

  10. Support Staff 8 Posted by Steve on 22 Nov, 2019 02:26 PM

    Steve's Avatar

    We tried to verify the signature of the link you sent and were able to do so.

    For the verification to be successful keep in mind that you need to have the public key first. So search for the fingerprint they give and after downloading the public key please retry.

    Also you may want to ask that company to upload and verify theri public key to


  11. 9 Posted by OJ on 22 Nov, 2019 03:25 PM

    OJ's Avatar

    Here is my result.

  12. Support Staff 10 Posted by Steve on 22 Nov, 2019 08:43 PM

    Steve's Avatar

    Importing the signature into GPG Keychain won't work as that is the key manager.


    1. visit
    2. mark all with cmd + A
    3. right click > Services > OpenPGP: Verify Signature of Selection
  13. 11 Posted by OJ on 22 Nov, 2019 09:35 PM

    OJ's Avatar

    Thank you Steve,
    and please remove the second printscreen.... !!!


  14. Support Staff 12 Posted by Steve on 22 Nov, 2019 09:43 PM

    Steve's Avatar

    Glad this is solved for you. I'm closing this discussion. Should you need further assistance or have questions you can re-open this discussion here or open a new one any time.


  15. Steve closed this discussion on 22 Nov, 2019 09:43 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac