在Windows下使用Gpg4win对文件进行完整性校验(PGP校验)

下载GnuPG
https://www.gnupg.org/download/index.en.html

windows下载

Gpg4win
https://www.gpg4win.org/download.html

安装基本上是傻瓜式，不用多说

cd切换到要校验的目录，文件和asc文件(签名文件)位于同一目录

如python3.5.1需要python-3.5.1.exe和python-3.5.1.exe.asc这两个文件

首次校验，获取RSA key ID

>gpg --verify python-3.5.1.exe.asc
gpg: assuming signed data in 'python-3.5.1.exe'
gpg: Signature made 12/08/15 05:59:22 中国标准时间 using RSA key ID 487034E5
gpg: Can't check signature: No public key

这一步可以看到RSA key ID为487034E5，由于没有公钥，所以我们无法检查签名

下一步我们要通过一些公钥服务器下载公钥。命令指定公钥服务器为hkp://pool.sks-keyservers.net，要下载的ID为487034E5

>gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys 487034E5
gpg: requesting key 487034E5 from hkp server pool.sks-keyservers.net
gpg: C:/Users/admin/AppData/Roaming/gnupg/trustdb.gpg: trustdb created
gpg: key 487034E5: public key "Steve Dower (Python Release Signing) <steve.dower
@microsoft.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

然后我们再次校验

>gpg --verify python-3.5.1.exe.asc
gpg: assuming signed data in 'python-3.5.1.exe'
gpg: Signature made 12/08/15 05:59:22 中国标准时间 using RSA key ID 487034E5
gpg: Good signature from "Steve Dower (Python Release Signing) <steve.dower@micr
osoft.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7ED1 0B65 31D7 C8E1 BC29  6021 FC62 4643 4870 34E5

注意第三行，出现Good signature from...说明签名是正确的，基本上可以认为文件没有篡改。

常见的密钥服务器，来自维基百科https://en.wikipedia.org/wiki/Key_server_%28cryptographic%29

1.keys.gnupg.net

2.hkp://subkeys.pgp.net (服务器池)

3.http://pgp.mit.edu

4.hkp://pool.sks-keyservers.net (服务器池, 也支持TLS: hkps://hkps.pool.sks-keyservers.net)

5.hkp://zimmermann.mayfirst.org (也支持TLS)

6.http://keyserver.ubuntu.com