Confirm a release, document, or any download really came from the signer and wasn't tampered with — by checking it against its detached PGP signature, right on your phone.
Download the file and its detached signature — usually a second file with the same
name plus .sig or .asc (for example release.tar.gz and
release.tar.gz.asc). Verification needs both; the signature alone or the file alone isn't
enough.
The signer's public key has to be in your PGPony keyring. Import it from their key file, a keyserver lookup, or wherever they publish it. See Import a GnuPG key to your phone if you need it.
Before you trust a verification result, make sure you have the right key. Compare the key's fingerprint against the one the project or person publishes through a channel you trust — their website, a signed announcement, in person. A valid signature from the wrong key proves nothing.
Share both the original file and its signature into PGPony (via the Share Sheet on iOS or the share intent on Android), or open them from the Decrypt tab. PGPony pairs the file with its detached signature and runs verification.
PGPony reports one of three states: valid and signer known (a green result — the file is intact and signed by a key in your keyring), valid but signer unknown (the math checks out but you haven't marked the key as trusted — verify the fingerprint), or invalid (the file changed, the wrong signature was used, or the wrong key — don't trust it).
That the file is unchanged and signed by the holder of a specific private key. Who that is depends on you verifying the key's fingerprint out of band.
A separate signature file alongside the original, so the original stays unmodified. You need both to verify.
Don't trust the file. Re-download both file and signature from the source, and confirm you have the correct signer key.
The signature is good, but the key isn't one you've trusted. Verify its fingerprint against the project's published fingerprint.
Free OpenPGP encryption for iOS and Android. No accounts, no tracking.
