GPG Signature, DEB Packages

To verify the integrity of a *.deb package, do the following:
  1. Download my public GPG key from my security web page, save it in a file named “pmkey.asc“
  2. Import my public key into your gpg keyring
  3. Execute the gpg command with the -verify option on the *.dsc or *.changes file

EXAMPLE: First we import the key. We can list our keys to check and see if it is there (for those who may be paranoid). Below are the commands and the output from the gpg program.

Command:


gpg -import pmkey.asc


Output:


{vlist15}
gpg: key 4812C85C: public key "Paul Michaels (January 2002) 
<pm@cgiss.boisestate.edu>" imported
gpg: Total number processed: 1
gpg:               imported: 1
vlist15


Command:


gpg -list-keys


Output:


{vlist16}
/home/pm/.gnupg/pubring.gpg
---------------------------
pub   1024D/4812C85C 2002-02-01
uid                  Paul Michaels (January 2002) <pm@cgiss.boisestate.edu>
sub   1024g/1430F4BF 2002-02-01
vlist16


Next, we verify the signature embedded in the *.dsc or *.changes file.


Command:


gpg -verify bsu_3.0.2-1.dsc


Output:


{vlist17}
gpg: Signature made Tue 13 Jun 2017 03:05:50 PM MDT using DSA key ID 4812C85C
gpg: Good signature from "Paul Michaels (January 2002) 
<pm@cgiss.boisestate.edu>"
vlist17


The warning results if you have not certified the signature with a level of trust. You can edit the key and change the trust, as well as sign it (assuming you have your own public and private key). But this is not necessary to check *.changes or *.dsc file (assuming you are confident of my key). If you obtained my key from some source other than my web page, you may wish to compare it with the listing below:

 -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.6 (GNU/Linux)

mQGiBDxZ9GIRBADJ/p9510p5ubYWlhGZgMNJUEcP2rkMoA/jtxFqqaWERjvMKwW4
kbWytJ2VLlIhiFI0vUMtViHpppFz6TfDR+1qvIzBqxobieIuPxotCa1e+KDWpaCI
Rb2+4ny2TlbZ3JBsK9rzMZkIVsUa7aCFbHmtLpBRwf2T97AEm3+lSQFBEwCgiWqC
wc2tKBGeZ6rdmGWkbmUzdN8EAMnoXaW5lo+WhbitR40qQ5YwE0GwXMcD+/QhMjCv
353YPbnPzkhFokQ6dVkk3rTQBV5jg0p0YsjNVaWwQo7oNXLOLLhC2d+/mLPGjPH+
afgKGFmyXkxUuLHmht0JZsuiLfr8oOEBQyHwQC+y1Ccd94nEefTvQE8I8Sqy0kP/
01ezA/9B/+Xy+L4mJvGGJ/cOOV4yzzR8BJ+koYhGVvNEq2I5jy67KhBpSPWxRPb5
dWu31WCnkzk6i9NUAx3QecvXLTR6AZMvw1TL8kGmCsG7vWWNB1Mg2P62AMARxbOl
fPY5Y9tzDFXaNan6axTGMKOto/5RDfp5X9n08bfiUiFK0iVH6bQ2UGF1bCBNaWNo
YWVscyAoSmFudWFyeSAyMDAyKSA8cG1AY2dpc3MuYm9pc2VzdGF0ZS5lZHU+iFcE
ExECABcFAjxZ9GIFCwcKAwQDFQMCAxYCAQIXgAAKCRDdrrznSBLIXCYzAJ9XDNs+
/Ue7F/hFQdsM8Xb3K1EUsACeIbhzpowmmOAWkcW/H77fUg4O6G+5AQ0EPFn0dRAE
AIBVO6W+vPZimewQeBIAaou+81RMGmBcMQ3fUjLdXUQubjOM4LYjS4WP+AtzIvuj
2GXMBkh0eOAiw0Icn9UD5Qv1ogBrRBmSGmP4XLtin6PgGdG9Ak6PQtb2ZKj5kGq3
8fG/OOtFSYHJuD8MPenL3mMQwSMtoFgMqpU3b/1ONVdDAAMFA/0WjVrD0vMw2O1R
4owGbsu9VdS5V3BDwssgVy1V7GZEB1iCJqKPf87wNYaZWQWuCx6SmVQe+XrP67MC
Zbm8Pk8bFFaNa3aOXHfqB+kzXofiKfCNVdqy7jAyZrhN753pZlJYMvq/EnNa5qMm
PrNak+/8XZMA1I76l9//ybQMwuK6gYhGBBgRAgAGBQI8WfR1AAoJEN2uvOdIEshc
sToAni1CjyZvwbsYb0uVSkZuP4dEUAOkAJ9FIBzX2e/16FVW222yNKOl0shLRw==
=zS6T
-----END PGP PUBLIC KEY BLOCK-----