As an example, this project offers an *.asc file with a PGP signature to verify the contents of the download (as opposed to a checksum, you can see the empty column): https://ossec.github.io/downloads.html
How would I use this file? I tried gpg --verify and other variants, but it seems to be matching the name up to the file, however the filename as it is downloaded is not exactly the same... not sure how it is supposed to work.
EE1B0E6B2D8387B7as its keyid.Output
This further refines Евгений Новиков's answer. It doesn't use deprecated GnuPG commands and avoids potentially spoofable key IDs for authentication:
Download the files
Acquire the OpenPGP certificate that the author uses to issue signatures:
Then acquire the detached signature issued by the author:
Finally acquire the file that you intend to authenticate:
Display and thoroughly compare the fingerprint
Before importing the certificate, display the full 40 character long OpenPGP certificate fingerprint and make sure it fully matches the fingerprint of the authors certificate.
Attention: You should acquire the fingerprint through a secure channel from the author. Apart of meeting the author physically to exchange the fingerprint, the next best thing would be a fingerprint displayed on the author's website and accessed via an
https:schemed URI. The author did publish one here.Attention: If the author only displays a short ID (8 characters long, e.g.
2D8387B7) or long ID (16 characters long, e.g.EE1B0E6B2D8387B7) better be sceptical and ask the author to publish the full fingerprint, as both the short ID and the long ID have been demonstrated to be spoofable (read more here)Older versions of GnuPG didn't display the full fingerprint by default. Try to add the
--fingerprintflag if it is not displayed.The output is supposed to look like this:
The OpenPGP certificate fingerprint in this case is:
Sometimes fingerprints are displayed in segments of 4 characters each with whitespace to make it easier for humans to read. In this case it is safe to ignore the whitespace for comparison:
Attention: Be sure not only to compare parts of the fingerprint, as this again opens up room for spoofing attacks.
For easy and thorough comparison just copy both fingerprints equally formatted in subsequent lines in a text editor of your choice and visually match them.
Import the certificate
If the full fingerprint is an exact match, import the certificate into your local GnuPG keyring:
Authenticate the file
Now you can cryptographically verify the file exactly matches the one published and signed by the author.
Attention: Be sure to always list both the detached signature and the file to authenticate here. Apart of detached signatures there are other types of signatures and not realizing this can lead to wrong assumptions of authenticity if only the signature file is listed.
The output is supposed to look like this:
Attention: In case the file has been manipulated, you are supposed to see something like this:
If this happens you should not use or execute the contents of the file as a precaution and contact the author. If the author cannot be reached, raising awareness publicly is the next best thing.
Authenticating files published by the author time and time again
The warning displayed in the last step is a hint that it would be a good idea to certify the imported author's signing certificate with your own personal OpenPGP certificate after you made sure it is legit.
If you keep and maintain your GnuPG keystore over a long time you don't need to verify the author's certificate for each new file again and make the whole process both easier and less prone to attack in the future.
Attention: A personal OpenPGP certificate is mandatory for this. Instruction for creating one are not the topic of this answer.
Issuing a certification works like this:
It tells both GnuPG and yourself in the future that you already thoroughly verified this author's certificate.
Afterwards the output of
gpg --verify ossec-hids-2.9.3.tar.gz.asc 2.9.3.tar.gzlooks much more clean and assuring like this: