GnuPG Key Fingerprint Verifier is a shell tool that allows to run simple verification checks
on GPG keys to decide whether they are safe to import/add.
Beside verifying GPG keys with their fingerprints, the tool will also check whether GPG keys import files
contain any possible malicious keys that are embedded with the actual keys.
(Where the number of maximum allowed public keys in an import file is 1.)
This could be useful for automation purposes (Like in Docker for example),
where GPG keys fingerprints cannot be manually verified.
Piping GPG keys using curl to commands such as apt-key can be harmful.
And the goal of this verification tool is to raise awareness about that habit.
- GnuPG (Legacy versions are supported.)
Download using curl:
curl -fL -O https://raw.githubusercontent.com/akai-z/gpg-key-fingerprint-verifier/master/gpg-key-fingerprint-verifier
Or by using wget:
wget https://raw.githubusercontent.com/akai-z/gpg-key-fingerprint-verifier/master/gpg-key-fingerprint-verifier
Optionally, you could verify file integrity before using it. (Recommended)
Check file integrity verification section for more details.
Make the tool executable:
chmod +x gpg-key-fingerprint-verifier
Make the tool globally accessible:
sudo mv gpg-key-fingerprint-verifier /usr/local/bin/
To verify file gpg-key-fingerprint-verifier integrity:
Compute the SHA-256 hash value of the file using a program like sha256sum:
sha256sum gpg-key-fingerprint-verifier
Once the hash value of the current state of the file is computed,
it should be compared with the one included in this repository (gpg-key-fingerprint-verifier.sha2).
gpg-key-fingerprint-verifier \
--gpg-key-import-file=<gpg-key-import-file> \
--gpg-public-key-fingerprint=<gpg-public-key-fingerprint> \
--gpg-subkey-fingerprint=<gpg-subkey-fingerprint> \
[--print-gpg-key-list] \
[-q | --quiet]
-
--gpg-key-import-file: GPG key import file path. -
--gpg-public-key-fingerprint: A 40 characters, without spaces, GPG public key fingerprint.
(This will be ignored if--print-gpg-key-listis used.) -
--gpg-subkey-fingerprint: A 40 characters, without spaces, GPG subkey fingerprint.
This should be the default subkey (with record typesub) in the GPG key listing. (But other subkeys could be used.)
Verifying GPG subkey fingerprint is optional, but recommended.
(This will be ignored if--print-gpg-key-listis used.) -
--print-gpg-key-list: Prints machine-parseable GPG key listing of the provided GPG key import file. (Optional)
More details about the format of the machine-parseable GPG key listing could be found here. -
-q, --quiet: Suppresses verification success message. (Optional)
This example shows how the verification tool could be used with apt-key add command:
curl -fL -o <gpg-key-import-file> <gpg-key-import-file-url> && \
gpg-key-fingerprint-verifier -q \
--gpg-key-import-file=<gpg-key-import-file> \
--gpg-public-key-fingerprint=<gpg-public-key-fingerprint> \
--gpg-subkey-fingerprint=<gpg-subkey-fingerprint> \
&& apt-key add <gpg-key-import-file>
The AND operator (&&) could be omitted, if the Set Builtin is used with the exit on error option (set -e).