How to check file integrity using public keys and MD5 checksums

To check that a file was sent by the correct person/entity, use the “gpg” program:

  1. Download the file as well as its signature (.asc) file into the same local directory
  2. Run: “gpg <file_signature.asc>” to check if the signature has not been tampered with
    1. If you don’t have the public key, download it: “gpg –keyserver –recv-key <ID>
    2. Try: “gpg <>” again
  3. Verify the signature is from the correct person
    1. Run: “gpg –fingerprint <ID>”

To check that the file itself has not been tampered with, run an MD5 check

  1. Run: “fsum <file_name>”
    1. Compare the output with a trusted MD5 checksum file provided by the right person

Further links:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s