PGP (Pretty Good Privacy) is an encryption software that is mostly known for its use in email. It is used for encrypting, decrypting, and signing emails and files. Today we’ll focus on two of its most valuable features: verification and signing.
Signing and verifying the signatures is important for data integrity. Verifying PGP signatures allows us to verify that the file or message came from a trusted source, since it has been signed with the author’s private key. The private key is something that only the author alone should have access to. In order to verify it’s authentic, we would only need the signer’s public key.
How to use PGP to verify signature
In this article we’re going to verify the PGP fingerprint from Cryptomator. We’ll need three things:
First we will download software from Cryptomator.org. Once we downloaded software, we will import PGP public key:
gpg --import cryptomator.asc
You can verify fingerprint of imported public PGP key:
gpg --list-keys
You should see the fingerprint of key:
58117AFA1F85B3EEC154677D615...
Now we need to download PGP signature (digital signed software):
gpg --verify pgp-signature.asc cryptomator.appimage
If signature is ok, it should return:
Good signature from "Cryptobot"
SHA256 checksum verification helps verify integrity of files you download. It helps identify if the downloaded file has been corrupted.
Open command prompt with administrator privileges. Navigate to the directory in which the downloaded file exists. Based on the OS you are using, execute the command mentioned.
LINUX
sha256sum cryptomator.appimage
WINDOWS
CMD
CertUtil -hashfile C:\file SHA256
POWERSHELL
Get-FileHash C:\file -Algorithm SHA256
MAC
shasum -a 256 /file
