+++ title = "Using GPG Public Key" +++ GNU Privacy Guard (GPG) is an popular two factor encryption system often used for signing or encrypting emails, files or even git commits. This post focuses on using provided public key to check signature validity for files signed using complementary public key. ## Install GPG On Linux it's found in nearly all distributions with package name of either gpg or gpg2. If both are present and gpg is not an alias to gpg2 please use gpg2. On Windows besides using WSL there is native GPG distribution named gpg4win. ## Importing Key One way to keep public keys is by using a keyserver such as _hkps://keyserver.ubuntu.com_ or _hkp://pgp.mit.edu_. To import key with ID _3BDD542C9B0BE180D5802DFF020C42B7A9ABA3E2_ from **hkps://keyserver.ubuntu.com** keyserver issue command: ```bash $ gpg2 --keyserver hkps://keyserver.ubuntu.com --recv-key 3BDD542C9B0BE180D5802DFF020C42B7A9ABA3E2 ``` Output of the command above will look like: ``` gpg: /home/akill/.gnupg/trustdb.gpg: trustdb created gpg: key 020C42B7A9ABA3E2: public key "Asmir A (new key 300523) " imported gpg: Total number processed: 1 gpg: imported: 1 ``` It's also possible to use "short" ID by using only the last 8 digits of hexadecimal ID representation, in our case _A9ABA3E2_ - but it's discouraged because of possible ID collisions. To search and import a key using email, example _asmir.abdulahovic@gmail.com_ issue command: ```bash $ gpg2 --keyserver hkps://keyserver.ubuntu.com --search-keys "asmir.abdulahovic@gmail.com" ``` Note _hkps_ protocol selection acts similarly as _https_ for _http_, preferably use it to avoid _MITM_ and other attacks. ## Verify Signature After successfully importing the public key it's possible to verify signature of a given file by issuing following command: ```bash $ gpg2 --verify my_file.png.asc ``` Please notice .asc extension in the command above. It's a result of using gpg to attach the signature at the end of the file while both file and signature are represented in ASCII format. It's, however, possible to compress the file and add signature in binary format. In that case it's conventional practise is to use .gpg extension. So in previous case file would be named _my_file.png.gpg_. Verifying it would be identical to .asc file. After verifying we still need original file. To extract it use: ```bash $ gpg2 --out my_file.png --decrypt my_file.png.asc ``` Interestingly for files like .pdf which ignore data appended to the end of the file it's possible to attach a signature and use resulting file as normal .pdf while being able to check the same signature. More on that in other post. ## Export Key Simply issue: ``` $ gpg2 --export --armor ``` Lastly I'll attach my public key, output of the command above, here which can also be found in about/ section of this site. ``` -----BEGIN PGP PUBLIC KEY BLOCK----- mDMEZHZDwBYJKwYBBAHaRw8BAQdAPTwI6nfqQ+DtOgyGnwh2Z/rHmeIaw48Cj1ac r7siWg60NkFzbWlyIEEgKG5ldyBrZXkgMzAwNTIzKSA8YXNtaXIuYWJkdWxhaG92 aWNAZ21haWwuY29tPoiTBBMWCgA7FiEEO91ULJsL4YDVgC3/AgxCt6mro+IFAmR2 Q8ACGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQAgxCt6mro+LMfgD/ a1FeF7N7CxwCne8jD/4wPTCgNvo8JDLYIugd+b3w4fEA/Az6BIxa/s1Nf2fZmI9C mvuMi9GztilFtCT+gHTtkAIPuDgEZHZDwBIKKwYBBAGXVQEFAQEHQE2Jm31r9Nv4 1H5HFOeIHwrUE09XuL/CzQE3WcXviq0hAwEIB4h4BBgWCgAgFiEEO91ULJsL4YDV gC3/AgxCt6mro+IFAmR2Q8ACGwwACgkQAgxCt6mro+KfqgD9HrUJdZ2Y6cvcYyt/ yMoxPvGKDCYo4Pys9Qi3M1oKKUMBAMJ4Dt6xjWyZIrNDjXmJhm4Qap9CAo0+SPM1 BudaRLwI =nRnt -----END PGP PUBLIC KEY BLOCK----- ```