Verifying signatures

If you have a signature, the associated file to verify, and the signer's public key, you can verify that the signature is valid for that file and public key.

You can either specify their public key:

As a string (easiest): Ed//L2CzmImpu9UA6HFjllemS4TVaE84PdTTrTNc5i6gxFU=
As a .public file (more long-term): signing.public

If you see the message 'Bad signature', the signature is not valid for that public key and the comment will not be displayed. This means either:

The public key is wrong for that signature file.
The file has been corrupted or tampered with.

If the signature file has the same file name (minus the .signature extension) and is in the same directory as the file to verify, you don't need to specify the signature file:

$ kryptor -v -y Ed//L2CzmImpu9UA6HFjllemS4TVaE84PdTTrTNc5i6gxFU= file.zip

Good signature.
Authenticated comment: Signed by Bob on the 4th of February 2022.

Here's an example where the signature file name is different to that of the file to verify:

$ kryptor -v -y Ed//L2CzmImpu9UA6HFjllemS4TVaE84PdTTrTNc5i6gxFU= -t file.signature file.zip

If the signature is valid, you'll see the message 'Good signature', followed by the authenticated comment if there is one.

Last updated 1 year ago