Verifying a download

There are two ways to check the files you've downloaded from a project:

The difference between the two is that the MD5 lets you check the file hasn't changed between leaving Launchpad and arriving on your machine, whereas the signature lets you check that the file hasn't changed since it was signed.

Using the MD5 sum

When a project maintainer uploads a file that they want to make available for download, Launchpad analyzes the file using the MD5 hashing algorithm. This produces a short sequence of letters and numbers.

You can use that sequence, called the MD5 sum, to check that the file has arrived on your machine intact.

Step 1: Get the MD5 sum by following the md5 link next to the file you've downloaded.

Step 2: Open a terminal, enter the directory where you downloaded the file and type:

md5sum filename

Obviously you need to replace filename with the name of the file you downloaded.

Step 3: You'll see an MD5 sum. Check that it's the same as the one you obtained in step 1. If the two sums are different, there has been a problem downloading the file. You should delete the file and try downloading it again. Do not use the file if the MD5 sums do not match.

Verifying a signature

When a project maintainer uploads a file to Launchpad, they have the option of also digitally signing the file and uploading the resultant signature.

You can tell which files have a signature by looking out for the sig link alongside the md5 link. Verifying the files signature lets you check that the file is exactly as intended by whoever signed the file.

Step 1: Download the signature file to the same directory where you've downloaded the project file you want to verify. The signature file will have the same name as the project file you've downloaded but with .asc or .sig appended to the end.

Step 2: Open a terminal, change to the directory where you have saved the file and accompanying signature, then enter the following:

gpg --verify signaturefilename

Replace signaturefilename with the signature's filename.

gpg will now try to check the signature against the signer's public key. If your version of gpg is configured to retrieve public keys automatically, you can skip to step 4. Otherwise, you'll need to fetch the signer's public key manually.

Step 3: If gpg can't find the public key on your local system, it will give you an error message similar to this:

gpg: Signature made Sun 28 Jun 2009 02:20:52 BST using DSA key ID 2F9532C8
gpg: Can't check signature: public key not found

That's no problem: you can easily retrieve the public key. Simply copy the key ID; it's the alphanumeric code, 2F9532C8, at the end of the first line of the error message.

Next, enter:

gpg --recv-keys 2F9532C8

gpg will now pull down the public key and you can re-run gpg --verify signaturefilename

Step 4: We're nearly done! You'll see a message from gpg that is similar to this:

gpg: Signature made Sun 28 Jun 2009 02:20:52 BST using DSA key ID 2F9532C8
gpg: Good signature from "Guillermo Gonzalez <>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: CDD8 87C2 C5CE CD1A C593 8EEF 698A D97E 2F95 32C8

This message shows that the file hasn't changed since it was signed by the uploader. Because Launchpad allows only a project's owners and series release managers to upload files for download, you may decide that this is enough confirmation that the file is good.

However, you can verify that the public key is owned by someone that you trust from the project.

Step 5: Visit Launchpad's people search page and search for the person name in the output from gpg --verify.

From their profile page, you can check their involvement in the project and also that they own the key used to sign the file you downloaded.