Part 1 Part 1 of 2: Downloading What You Need

To verify your belief that someone has signed a file, you will need a copy of that person's Public Key, a copy of the file, and a copy of the signature-file that was allegedly created through the interaction of the person's Secret Key and the file.

1. 1 Acquire the Public Key.
   • Import the Public Key into GPG.
2. 2 Acquire a copy of the file in question.
   • Save it in a Folder.
3. 3 Acquire a copy of the signature-file in question.
   • Save it in the same Folder.

Part 2 Part 2 of 2: Using GPG to Verify that someone's Secret Key Signed the File in Question

GPG will help you verify the relationship between your three files.

1. 1 Open a command-line interface.
   • Change the working directory to the Folder where your file and signature-file are saved.
2. 2 Verify the signature.
   • Type the following command into a command-line interface:
   • gpg --verify [signature-file] [file]
   • E.g., if you have acquired
   • (1) the Public Key 0x416F061063FEE659,
   • (2) the Tor Browser Bundle file (tor-browser.tar.gz), and
   • (3) the signature-file posted alongside the Tor Browser Bundle file (tor-browser.tar.gz.asc),
   • You would type the following:
   • gpg --verify tor-browser.tar.gz.asc tor-browser.tar.gz