GPG is still in use to verify downloads

This week, I needed to install the Amazon SSM Agent and was surprised to find that GPG (GNU Privacy Guard) was the only way to verify the download. I had assumed that software downloads verification had largely transitioned to PKI (Public Key Infrastructure). This short post is a refresh on GPG.

OpenPGP is an open standard for encrypting and signing data, originally derived from PGP (Pretty Good Privacy). It defines the format and encryption protocols used for secure communication. GPG is a widely used implementation of OpenPGP.

Hello World: signing and verifying a file

Server 1: Generate key and sign a file

 1# use --allowerasing to remove gnupg2-minimal which comes with AL2023 but conflicts with gnupg2.
 2sudo yum install --allowerasing gnupg2
 3
 4# generate key, default choices are OK for this experiment. The default name of the public key file is public-key.asc.
 5gpg --full-generate-key
 6
 7# Find the key ID (look for a line like "pub   ed25519/06E81EEB180AD914 2025-02-24 [SC]").
 8gpg --list-keys --keyid-format LONG
 9
10# Export the public key.
11gpg --armor --export 06E81EEB180AD914 > 06E81EEB180AD914.asc 
12
13# Create a document and sign it.
14echo "Hello GPG!" > document.txt
15
16gpg -u 06E81EEB180AD914 --detach-sign document.txt

Server 2: Import Key and Verify Signature

1gpg --import 06E81EEB180AD914.asc  
2
3gpg --verify document.txt.sig document.txt 

GPG and Trust Model

GPG is decentralized and peer-to-peer, meaning users generate and exchange keys independently. Trust is established through personal verification and key signatures rather than a centralized authority. GPG is commonly used for:

1. Git commit verification (git verify-commit)
2. Email encryption (e.g., ProtonMail)
3. File signing (e.g., verifying SSM Agent downloads)

However, many file verification use cases have shifted away from GPG. For example, PEP 761 – Deprecating PGP signatures for CPython artifacts