Using GPG Public Key

Asmir Abdulahovic published on
2 min, 365 words

Tags: gpg encryption

GNU Privacy Guard (GPG) is an popular two factor encryption system often used for signing or encrypting emails, files or even git commits. This post focuses on using provided public key to check signature validity for files signed using complementary public key.

Install GPG

On Linux it's found in nearly all distributions with package name of either gpg or gpg2. If both are present and gpg is not an alias to gpg2 please use gpg2. On Windows besides using WSL there is native GPG distribution named gpg4win.

Importing Key

One way to keep public keys is by using a keyserver such as hkps://keyserver.ubuntu.com or hkp://pgp.mit.edu. To import key with ID 3BDD542C9B0BE180D5802DFF020C42B7A9ABA3E2 from hkps://keyserver.ubuntu.com keyserver issue command:

$ gpg2 --keyserver hkps://keyserver.ubuntu.com --recv-key 3BDD542C9B0BE180D5802DFF020C42B7A9ABA3E2

Output of the command above will look like:

gpg: /home/akill/.gnupg/trustdb.gpg: trustdb created
gpg: key 020C42B7A9ABA3E2: public key "Asmir A (new key 300523) <asmir.abdulahovic@gmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

It's also possible to use "short" ID by using only the last 8 digits of hexadecimal ID representation, in our case A9ABA3E2 - but it's discouraged because of possible ID collisions.

To search and import a key using email, example asmir.abdulahovic@gmail.com issue command:

$ gpg2  --keyserver hkps://keyserver.ubuntu.com --search-keys "asmir.abdulahovic@gmail.com"

Note hkps protocol selection acts similarly as https for http, preferably use it to avoid MITM and other attacks.

Verify Signature

After successfully importing the public key it's possible to verify signature of a given file by issuing following command:

$ gpg2 --verify my_file.png.asc

Please notice .asc extension in the command above. It's a result of using gpg to attach the signature at the end of the file while both file and signature are represented in ASCII format. It's, however, possible to compress the file and add signature in binary format. In that case it's conventional practise is to use .gpg extension. So in previous case file would be named my_file.png.gpg. Verifying it would be identical to .asc file.

After verifying we still need original file. To extract it use:

$ gpg2 --out my_file.png --decrypt my_file.png.asc

Interestingly for files like .pdf which ignore data appended to the end of the file it's possible to attach a signature and use resulting file as normal .pdf while being able to check the same signature. More on that in other post.

Export Key

Simply issue:

$ gpg2 --export --armor <KEY_ID>

Lastly I'll attach my public key, output of the command above, here which can also be found in about/ section of this site.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZHZDwBYJKwYBBAHaRw8BAQdAPTwI6nfqQ+DtOgyGnwh2Z/rHmeIaw48Cj1ac
r7siWg60NkFzbWlyIEEgKG5ldyBrZXkgMzAwNTIzKSA8YXNtaXIuYWJkdWxhaG92
aWNAZ21haWwuY29tPoiTBBMWCgA7FiEEO91ULJsL4YDVgC3/AgxCt6mro+IFAmR2
Q8ACGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQAgxCt6mro+LMfgD/
a1FeF7N7CxwCne8jD/4wPTCgNvo8JDLYIugd+b3w4fEA/Az6BIxa/s1Nf2fZmI9C
mvuMi9GztilFtCT+gHTtkAIPuDgEZHZDwBIKKwYBBAGXVQEFAQEHQE2Jm31r9Nv4
1H5HFOeIHwrUE09XuL/CzQE3WcXviq0hAwEIB4h4BBgWCgAgFiEEO91ULJsL4YDV
gC3/AgxCt6mro+IFAmR2Q8ACGwwACgkQAgxCt6mro+KfqgD9HrUJdZ2Y6cvcYyt/
yMoxPvGKDCYo4Pys9Qi3M1oKKUMBAMJ4Dt6xjWyZIrNDjXmJhm4Qap9CAo0+SPM1
BudaRLwI
=nRnt
-----END PGP PUBLIC KEY BLOCK-----