Verifying Packages

This page explains how to verify the authenticity and integrity of packages.

Open a terminal window and follow the steps below:

Step-1: Extract the software package

Extract the TGZ file you received by email. This is a compressed file similar to Zip files on Windows. Most file managers will display an “Extract Here” option when you right-click the file.

Step-2: Import Public Key

Import my public key from the Ubuntu key server. You can skip this if you have imported my key previously.

sudo gpg --keyid-format long --keyserver hkp:// --recv-keys 0x7D0E596BA81BB0D020834D85442392867C3B6F64

The output should say that the import was successful.

gpg: key 442392867C3B6F64: public key "Tony George" imported
gpg: Total number processed: 1
gpg: imported: 1

Step-3: Verify Signature

Check if the signature is good:

gpg --verify CHECKSUM.sha512.sig

The output should say “Good signature” from “Tony George” with the key id “7D0E596BA81BB0D020834D85442392867C3B6F64

This validates that the file CHECKSUMS.sha512 was produced and signed by me.

gpg: assuming signed data in 'CHECKSUM.sha512'
gpg: Signature made Sunday 20 January 2019 07:54:37 PM IST
gpg: using RSA key 7D0E596BA81BB0D020834D85442392867C3B6F64
gpg: Good signature from "Tony George" [ultimate]

Step-4: Verify Checksum

Check if the check-sums match:

shasum -c CHECKSUM.sha512

The status should be OK for every file.

This verifies that all files are original and intact, and have not been modified in any way.

ukuu-assets_19.01_amd64.deb: OK
ukuu-gtk_19.01_amd64.deb: OK
ukuu_19.01_amd64.deb: OK OK

Step-5: Install the packages

Install the packages by executing the file:

sh ./