https://www.gnupg.org/download/index.en.html
windows下载
Gpg4win
https://www.gpg4win.org/download.html
安装基本上是傻瓜式,不用多说
cd切换到要校验的目录,文件和asc文件(签名文件)位于同一目录
如python3.5.1需要python-3.5.1.exe和python-3.5.1.exe.asc这两个文件
首次校验,获取RSA key ID
>gpg --verify python-3.5.1.exe.asc
gpg: assuming signed data in 'python-3.5.1.exe'
gpg: Signature made 12/08/15 05:59:22 中国标准时间 using RSA key ID 487034E5
gpg: Can't check signature: No public key
这一步可以看到RSA key ID为487034E5,由于没有公钥,所以我们无法检查签名
下一步我们要通过一些公钥服务器下载公钥。命令指定公钥服务器为hkp://pool.sks-keyservers.net,要下载的ID为487034E5
>gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys 487034E5
gpg: requesting key 487034E5 from hkp server pool.sks-keyservers.net
gpg: C:/Users/admin/AppData/Roaming/gnupg/trustdb.gpg: trustdb created
gpg: key 487034E5: public key "Steve Dower (Python Release Signing) <steve.dower
@microsoft.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
然后我们再次校验
>gpg --verify python-3.5.1.exe.asc
gpg: assuming signed data in 'python-3.5.1.exe'
gpg: Signature made 12/08/15 05:59:22 中国标准时间 using RSA key ID 487034E5
gpg: Good signature from "Steve Dower (Python Release Signing) <steve.dower@micr
osoft.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7ED1 0B65 31D7 C8E1 BC29 6021 FC62 4643 4870 34E5
注意第三行,出现Good signature from...说明签名是正确的,基本上可以认为文件没有篡改。
常见的密钥服务器,来自*https://en.wikipedia.org/wiki/Key_server_%28cryptographic%29
1.keys.gnupg.net
2.hkp://subkeys.pgp.net (服务器池)
3.http://pgp.mit.edu
4.hkp://pool.sks-keyservers.net (服务器池, 也支持TLS: hkps://hkps.pool.sks-keyservers.net)
5.hkp://zimmermann.mayfirst.org (也支持TLS)
6.http://keyserver.ubuntu.com