gpg

GNU Privacy Guard for R

Bindings to GPG for creating and verifying OpenGPG (RFC4880) signatures. This is not a standalone library; GPG needs to be installed on the system. On Windows you need GPG4Win or similar, on other systems use the GPGME library.

Documentation

About the R package:

• Vignette: Using GPG in R

Other resources:

• The GNU Privacy Handbook

Hello World

Let’s verify a Debian file. The Debian page on CRAN says the following:

Since 16th of November 2021, the buster40 and bullseye40 repositories are signed with a new key with the key ID 0xB8F25A8A73EACF41, fingerprint 95C0FAF38DB3CCAD0C080A7BDC78B2DDEABC47B7 and user ID Johannes Ranke johannes.ranke@jrwb.de.

We import this key so that we can verify the Release file, which contains checksums for all files in the repository:

# take out the spaces
johannes <- "0xB8F25A8A73EACF41"
gpg_recv(johannes)

If you don’t trust the CRAN homepage, you could check who has signed this key. You’d need to import the corresponding peer keys for more information.

gpg_list_signatures(johannes)

Now lets verify the release files:

# Verify the file
library(curl)
curl_download('https://cran.r-project.org/bin/linux/debian/bullseye-cran40/Release', 'Release')
curl_download('https://cran.r-project.org/bin/linux/debian/bullseye-cran40/Release.gpg','Release.gpg')
gpg_verify('Release.gpg', 'Release')

                id           timestamp           name                  email success
1 DC78B2DDEABC47B7 2021-11-16 11:17:18 Johannes Ranke johannes.ranke@jrwb.de    TRUE

Looking good! We can trust the checksums in the Release file to be legitimate.

Installation

Binary packages for OS-X or Windows can be installed directly from CRAN:

install.packages("gpg")

Installation from source on Linux or OSX requires GPGME. On Debian or Ubuntu install libgpgme-dev directly from Universe:

sudo apt-get install -y libgpgme-dev

On Fedora and CentOS we need gpgme-devel:

sudo yum install gpgme-devel

On OS-X use gpgme from Homebrew:

brew install gpgme