Home GPG: Files validation with GPG and SHA

GPG: Files validation with GPG and SHA

Here are some tips on how to secure and validate files using GPG and certutil in Windows.


You can sign files using GPG. The command below adds a new file with .asc postfix contains a target file signature.

gpg --detach-sign --armor SomeZipFile.zip

If you want other people to have the opportunity to verify files was signed by your GPG key - you need to share public GPG key to them. It is possible to do it manually e.g. in GitHub releases page or directly in readme.md, or you can publish key on trusted keyserver by the following command:

gpg --keyserver keys.openpgp.org --send-keys 3AA5C34371567BD2


Verification is a common feature that every opensource software engineer must know about.

Importing the public key

If you need to validate files that were signed not by you, first of all you need to import the public key that used for signature creation.

You can do this from trusted keyserver (do not forget to replace 3AA5C34371567BD2 to GPG key ID that used for file signing):

gpg --keyserver keys.openpgp.org --recv 3AA5C34371567BD2

Or manually from file:

gpg --import somekeyfile.key

Next, just use the command below to verify the target file:

gpg --verify SomeZipFile.zip.asc SomeZipFile.zip

SHA hash

Sometimes people provide SHA256/SHA512 hashcodes for additional validation way. You can check some file SHA* hash by using this command:

certutil -hashfile SomeZipFile.zip SHA512
This post is licensed under CC BY 4.0 by the author.

GPG: Share existing GPG key

GitHub Actions: Setup Check-In build