Here are some tips on how to secure and validate files using GPG and certutil in Windows.
Signing
You can sign files using GPG. The command below adds a new file with .asc postfix contains a target file signature.
1
gpg --detach-sign --armor SomeZipFile.zip
If you want other people to have the opportunity to verify files was signed by your GPG key - you need to share public GPG key to them. It is possible to do it manually e.g. in GitHub releases page or directly in readme.md, or you can publish key on trusted keyserver by the following command:
1
gpg --keyserver keys.openpgp.org --send-keys 3AA5C34371567BD2
Verification
Verification is a common feature that every opensource software engineer must know about.
Importing the public key
If you need to validate files that were signed not by you, first of all you need to import the public key that used for signature creation.
You can do this from trusted keyserver (do not forget to replace 3AA5C34371567BD2 to GPG key ID that used for file signing):
1
gpg --keyserver keys.openpgp.org --recv 3AA5C34371567BD2
Or manually from file:
1
gpg --import somekeyfile.key
Next, just use the command below to verify the target file:
1
gpg --verify SomeZipFile.zip.asc SomeZipFile.zip
SHA hash
Sometimes people provide SHA256/SHA512 hashcodes for additional validation way. You can check some file SHA* hash by using this command:
1
certutil -hashfile SomeZipFile.zip SHA512