How to verify the downloaded GPG Suite?
Verify SHA256 checksum
Verification possible without gpg installed:
- download GPG Suite
- open Terminal app (easiest to find via Spotlight, an icon located in the top right of your menubar)
- paste
shasum -a 256
then press spacebar to add a space - drag downloaded GPG Suite dmg file into Terminal
- press enter
The resulting SHA256 checksum must match the SHA256 checksum on https://gpgtools.org.
Verify signature
Verification possible with gpg installed on your system.
We sign each release with our team key. To verify the signature:
- download GPG Suite
- download
GPG Signature
from https://gpgtools.org - if GPG Suite is already installed on your system skip this step, as our public key comes pre-installed with GPG Keychain. Otherwise import our public key
- both dmg and sig file must be located in the same folder
- double-click the signature file and GPG Services will show the verification result
Click notification for details:
Untrusted signature
is expected and nothing to worry about. This KB-article explains how to verify and sign a key so that key becomes trusted.
Verify signature of any file
Signing releases is common and it is routine to verify the signature for downloaded files when using software like Tor Browser or Tails.
- download file
- and corresponding gpg signature file
- import public key, matching the secret key used to generate the signature of the file you are looking to verify, into GPG Keychain
- to ensure the correct public key is used, please compare the fingerprint given on the developers website with the fingerprint of the imported key
- make sure that signature file and file you are looking to verify are located in the same folder
- double-click the signature file and GPG Services will show the verification result