if I use gpg to check the validity of a file, say file.tar.xz using a file.tar.xz.asc (downloaded to the pc), ie gpg --verify file.tar.xz.asc file.tar.xz Does this command simple compare file.xz.asc with the same (hopefully the same) file stored in file.tar.xz Or is it more complicated. If so, please explain? Thanks
The .asc is a detached signature file. The verify command downloads the public key of the signer and uses it to decrypt the .asc sig file. That is a hash of the tar file. It then hashes the tar file itself and compares the two hashes. If they are the same then the signature is good.
Thanks for responding. I am a little confused when you talk of tar files. In my example: gpg --verify file.tar.xz.asc file.tar.xz, both files are tar files I am not sure how verify verifies the file.tar.xz file
The file "file.tar.xz.asc" is an ASCII text file, not an archive. Just look at "file.tar.xz.asc" in a text editor, and you'll see.