To check if the file came from a legitimate source, we often need to compare file signature and checksum. But how do we do that? As an example, we will download a Cygwin installation file. Then we will check if the file came from a legitimate source by comparing a public signature provided by the software distributor. We will use gpg
utility.
Go to url: https://cygwin.com/install.html
Run setup-x86_64.exe any time you want to update or install a Cygwin package for 64-bit windows. The signature for setup-x86_64.exe can be used to verify the validity of this binary using the public key here.
Step 1 – Download and install public key
Save public key to pubring.asc file and add it to local key repository
gpg --import pubring.asc
gpg --list-keys
Step 2 – Download file and signature
Once the public key were installed, you can now download the installation file and corresponding signature file. File convention should look as fallow: setup-x86_64.exe.sig
setup-x86_64.exe
.
Step 3 – Run file signature verification
Once the files are in place in terminal, run the signature comparison with an installation file.
gpg --verify setup-x86_64.exe.sig setup-x86_64.exe
https://superuser.com/questions/773138/how-to-verify-the-validity-of-the-binary-using-the-public-key
GPG why is my trusted key not certified with a trusted signature?https://security.stackexchange.com/questions/147447/gpg-why-is-my-trusted-key-not-certified-with-a-trusted-signature