GNU Privacy Guard for R
Bindings to GPG for creating and verifying OpenGPG (RFC4880) signatures. This is not a standalone library; GPG needs to be installed on the system. On Windows you need GPG4Win or similar, on other systems use the GPGME library.
About the R package:
- Vignette: Using GPG in R
Other resources:
Let's verify a Debian file. The Debian page on CRAN says the following:
Since 16th of November 2021, the buster40 and bullseye40 repositories are signed with a new key with the key ID 0xB8F25A8A73EACF41, fingerprint 95C0FAF38DB3CCAD0C080A7BDC78B2DDEABC47B7 and user ID Johannes Ranke johannes.ranke@jrwb.de.
We import this key so that we can verify the Release file, which contains checksums for all files in the repository:
# take out the spaces
johannes <- "0xB8F25A8A73EACF41"
gpg_recv(johannes)If you don't trust the CRAN homepage, you could check who has signed this key. You'd need to import the corresponding peer keys for more information.
gpg_list_signatures(johannes)Now lets verify the release files:
# Verify the file
library(curl)
curl_download('https://cran.r-project.org/bin/linux/debian/bullseye-cran40/Release', 'Release')
curl_download('https://cran.r-project.org/bin/linux/debian/bullseye-cran40/Release.gpg','Release.gpg')
gpg_verify('Release.gpg', 'Release') id timestamp name email success
1 DC78B2DDEABC47B7 2021-11-16 11:17:18 Johannes Ranke johannes.ranke@jrwb.de TRUE
Looking good! We can trust the checksums in the Release file to be legitimate.
Binary packages for OS-X or Windows can be installed directly from CRAN:
install.packages("gpg")Installation from source on Linux or OSX requires GPGME. On Debian or Ubuntu install libgpgme-dev directly from Universe:
sudo apt-get install -y libgpgme-dev
On Fedora and CentOS we need gpgme-devel:
sudo yum install gpgme-devel
On OS-X use gpgme from Homebrew:
brew install gpgme