以nginx为例,将nginx-1.18.0.tar.gz、nginx-1.18.0.tar.gz.asc下载到同一个目录下。
[root@wp ~]# wget https://nginx.org/download/nginx-1.18.0.tar.gz[root@wp ~]# wget https://nginx.org/download/nginx-1.18.0.tar.gz.asc[root@wp SOURCES]# ll-rw-r--r-- 1 root root 1016K Apr 21 2020 nginx-1.18.0.tar.gz-rw-r--r-- 1 root root 455 Apr 21 2020 nginx-1.18.0.tar.gz.asc先 gpg --verify 验证一下,提示没有公钥,得到公钥ID。
[root@wp SOURCES]# gpg --verify nginx-1.18.0.tar.gz.ascgpg: Signature made Tue 21 Apr 2020 10:13:35 PM CST using RSA key ID A1C052F8gpg: Can't check signature: No public key再从公钥服务器获取公钥,格式为 gpg --keyserver <key_server> --recv-keys <public_key_ID>。keyserver上网去搜,常用的有hkp://pgp.mit.edu、hkp://keyserver.ubuntu.com
[root@wp SOURCES]# gpg --keyserver hkp://pgp.mit.edu --recv-keys A1C052F8gpg: keyring `/root/.gnupg/secring.gpg' createdgpg: requesting key A1C052F8 from hkp server pgp.mit.edugpg: /root/.gnupg/trustdb.gpg: trustdb createdgpg: key A1C052F8: public key "Maxim Dounin <mdounin@mdounin.ru>" importedgpg: key A1C052F8: public key "Maxim Dounin <mdounin@mdounin.ru>" importedgpg: no ultimately trusted keys foundgpg: Total number processed: 2gpg: imported: 2 (RSA: 2)导入公钥以后再验证,提示 Good signature即可。
[root@wp SOURCES]# gpg --verify nginx-1.18.0.tar.gz.ascgpg: Signature made Tue 21 Apr 2020 10:13:35 PM CST using RSA key ID A1C052F8gpg: Good signature from "Maxim Dounin <mdounin@mdounin.ru>"gpg: WARNING: This key is not certified with a trusted signature!gpg: There is no indication that the signature belongs to the owner.Primary key fingerprint: B0F4 2533 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8