Verify your download with GPG

After you downloaded the ISO, you also need to download the GPG signature which you can find under the header “Verify” on the download page.


Check the currently installed keys:

gpg --list-keys

Search for this key:

pub   4096R/BCA63C3C 2013-02-17
uid                  Arjen Balfoort (Schoelje) 
sub   4096R/B4187A61 2013-02-17

If the above key is not listed, you’ll need to install it from the key server:

gpg --keyserver hkp:// --recv-keys BCA63C3C

Check the installed key with:

gpg --fingerprint BCA63C3C

Output should look like:

pub   4096R/BCA63C3C 2013-02-17
      Key fingerprint = 1FD0 3599 DC09 A23A 5011  EB5F EADB 2FB0 BCA6 3C3C
uid                  Arjen Balfoort (Schoelje) 
sub   4096R/B4187A61 2013-02-17

Now that you have the key installed, you can verify the download.
Go to the directory where you downloaded the ISO and the signature file.
Verify the download with (replace “my.iso” with the correct name):

gpg --verify my.iso.sig my.iso

The output should say “Good signature”:

gpg: Signature made Tue 23 Feb 2016 11:12:06 AM PST using RSA key ID BCA63C3C
gpg: Good signature from "Arjen Balfoort (Schoelje) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1FD0 3599 DC09 A23A 5011  EB5F EADB 2FB0 BCA6 3C3C

If you don’t see the above, your download may be corrupted.
Download the ISO and signature again and verify those with the above described procedure.


Windows users can download and install GPG from here.
In the above commands replace “gpg” with “C:\Program Files\GNU\GnuPG\gpg2.exe”(include the quotes).