GPG (GPG)
GPG is a tool that lets publishers put a digital seal on their files. The publisher has two keys: a private key they keep secret, and a public key they share with the world. They use the private key to sign a file. You use the public key to verify that signature. If the signature checks out, you know two things: the file came from that publisher, and it has not been changed since they signed it. Think of it like a wax seal on an envelope where only one person has the stamp, but anyone can recognize the imprint.
GNU Privacy Guard (GPG) is a free, open-source implementation of the OpenPGP standard (RFC 4880). It provides digital signatures, asymmetric encryption, and a web of trust for key certification.
Asymmetric key pair:
- Private key: generated by the user, mathematically unique, never shared. Used to sign data and decrypt messages encrypted with the corresponding public key.
- Public key: derived from the private key. Distributed to key servers and official documentation. Used to verify signatures and encrypt messages.
Digital signature flow:
- The signer computes a hash (SHA-256) of the data.
- The signer encrypts that hash with their private key. This encrypted hash is the signature.
- The verifier downloads the data, the signature, and the signer’s public key.
- The verifier decrypts the signature using the public key, recovering the original hash.
- The verifier independently hashes the data.
- If the two hashes match: the data is authentic and unmodified. If they do not: “BAD signature.”
Key formats:
| Format | Length | Example |
|---|---|---|
| Short key ID | 8 hex chars | 0EFE21092 |
| Long key ID | 16 hex chars | 0D94AA3F0EFE21092 |
| Fingerprint | 40 hex chars | 843938DF228D22F7B3742BC0D94AA3F0EFE21092 |
Always use the full fingerprint when importing keys. Short key IDs are vulnerable to collision attacks where an attacker generates a key with the same short ID.
Web of trust: GPG’s decentralized trust model. Users sign each other’s public keys to vouch for their authenticity. A key signed by multiple trusted parties carries more weight. This is distinct from the PKI certificate authority model used by TLS.
Key servers: Public databases for distributing public keys. Common options: keyserver.ubuntu.com, keys.openpgp.org. The key server is only a distribution mechanism; the fingerprint must still be verified against an authoritative source (official docs, mailing lists).
GPG key import and signature verification
# Import a publisher's public key from a key server by full fingerprint
gpg --keyid-format long \
--keyserver hkp://keyserver.ubuntu.com \
--recv-keys 0x843938DF228D22F7B3742BC0D94AA3F0EFE21092
# Verify a GPG signature on a checksum file
# SHA256SUMS is the data; SHA256SUMS.gpg is the detached signature
gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
# gpg: Signature made Wed 20 Mar 2024
# gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
# gpg: Good signature from "Ubuntu CD Image Automatic Signing Key"
# List keys in your keyring
gpg --list-keys --keyid-format long
# View the full fingerprint of a key
gpg --fingerprint cdimage@ubuntu.com
# Sign a file yourself (creates file.txt.gpg detached signature)
gpg --armor --detach-sign file.txtGPG signatures are the standard for verifying Linux distribution releases, security tool packages, and open-source software. Ubuntu, Debian, Kali Linux, and Fedora all ship GPG-signed release files. The Debian project signs every package in its repositories; apt verifies those signatures automatically on every install. Git supports GPG-signed commits and tags, giving you cryptographic proof that a commit was authored by a specific key holder. Package managers like rpm, dnf, and pacman use GPG to verify package integrity before installation. In practice, the weakest link is trusting the public key itself: always cross-reference the key fingerprint in official documentation, release announcements, and multiple independent sources before trusting a signature. A compromised key server could serve a malicious key, but it cannot compromise a fingerprint that is published in six different places simultaneously.