How to verify file integrity using GnuPG signature

Verify file integrity using the GnuPG signature without touching your local GnuPG configuration.

I will use ejabberd robust, scalable, and extensible XMPP Server Debian package provided by ProcessOne as an example.

Download the Debian package file.

$ wget --quiet https://www.process-one.net/downloads/ejabberd/18.01/ejabberd_18.01-0_amd64.deb

It is a standard Debian package.

$ file ejabberd_18.01-0_amd64.deb
ejabberd_18.01-0_amd64.deb: Debian binary package (format 2.0)

Download the signature file.

$ wget --quiet https://www.process-one.net/downloads/ejabberd/18.01/ejabberd_18.01-0_amd64.deb.asc

It is a regular signature file.

$ file ejabberd_18.01-0_amd64.deb.asc
ejabberd_18.01-0_amd64.deb.asc: PGP signature Signature (old)

$ cat ejabberd_18.01-0_amd64.deb.asc
-----BEGIN PGP SIGNATURE-----

iEYEABECAAYFAlpYfKMACgkQjspGlBnAkxH0cQCgt1ry5hd7EVIlv45mWVSlP9sx
zCQAoIHDjcuDLAxl/qOCSD8fem9Tg56p
=1iIq
-----END PGP SIGNATURE-----

Download and store GnuPG public key that was used to create the signature file.

$ gpg --no-default-keyring \
      --keyring ./ejabberd-keyring.gpg \
      --keyserver keyserver.ubuntu.com \
      --recv $(cat ejabberd_18.01-0_amd64.deb.asc | \
  gpg --no-default-keyring --list-packets - | \
  awk '/^:/ {print $NF}')

gpg: keybox './ejabberd-keyring.gpg' created
gpg: key 8ECA469419C09311: public key "Process-one <contact@process-one.net>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg:               imported: 1

Update the temporary Web of Trust.

$ gpg --no-default-keyring \
      --keyring ./ejabberd-keyring.gpg \
      --list-keys \
      --fingerprint \
      --with-colons | \
  awk -F: '$1 == "pub" {getline;print $10":6"}' | \
  gpg -no-default-keyring \
      --trustdb-name ./ejabberd-trustdb.db \
      --import-ownertrust

gpg: ./ejabberd-trustdb.db: trustdb created
gpg: setting ownertrust to 6

Verify the Debian package signature file.

$ gpg --no-default-keyring \
      --keyring ./ejabberd-keyring.gpg \
      --trustdb-name ./ejabberd-trustdb.db \
      --verify ejabberd_18.01-0_amd64.deb.asc

gpg: assuming signed data in 'ejabberd_18.01-0_amd64.deb'
gpg: Signature made Fri Jan 12 09:15:15 2018 UTC
gpg:                using DSA key 8ECA469419C09311
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Good signature from "Process-one <contact@process-one.net>" [ultimate]

You will see the following message in those rare cases when the downloaded file is corrupted.

gpg: assuming signed data in 'ejabberd_18.01-0_amd64.deb'
gpg: Signature made Fri Jan 12 09:15:15 2018 UTC
gpg:                using DSA key 8ECA469419C09311
gpg: BAD signature from "Process-one <contact@process-one.net>" [ultimate]