Let's see how to verify an OpenPGP signature.

Obtain a signature

If you already have a signature you would like to verify, great! If not, let's use the following signature for the guide:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I like pineapple.
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCAAtFiEEog/Pt4tEmnyVrrtlNzZ/SvQIetEFAl70mVUPHHlhcm1vQHlh cm1vLmV1AAoJEDc2f0r0CHrRQXIP/08uza9zOtmZXv5K+uPGVzDKwkgPgZJEezX7 6iQ358f1pjSRvYfQ5aB13k2epUHoqCKArMYu1zPqxhvLvvAvp8uOHABnr9NGL3El u7UUgaeUNHkr0gxCKEq3p81abrrbbWveP8OBP4RyxmaFx13Xcj7mfDluiBHmjVvv WU09EdH9VPlJ7WfZ+2G2ZZDHuE5XiaeP7ocugTxXXLkp33zwpDX0+ZuCIXM6fQGe OccSffglFPdNBnfasuuxDWxTQPsEbWGOPJV+CAPmBDeApX+TBF9bovO3hw4Uozk2 VT7EAy8Hb0SOrUb3UNGxzoKv++5676IxyB4JXX0Tr9O4ZxhO8o9pEEHwirtn/J1+ MWven4gVlWM/6bMeUqx6ydyNc2nqF5059yfRmwGMlp09x82G4x1bcf6aDZ+5njDG fS5T2OpXRIkZHJx8BhmZjsxiDR0KV44zwHpt06+96ef3EDWB0BcP6M+a5Rtc33zf irRmQd2M6RLyXCYtdGIiiAFRuomw802U4F0P4LwVrZdbGA6ObqBv1k8BUFCMbMz8 Ab4hF7kO4z0Vh3JaKzcHey0pOzdNCPpAHZ51sAoAnFDM4PdMBgQxxVweCMu4KYMZ FN8sNn42oY/b7gDmwCelVhgD+rvUn/a8+B7CDmCp+wIquyrjrTt00voATcb+ZPMJ
pTXJ/NcM
=rqTX
-----END PGP SIGNATURE-----

Copy the above signature.

Verify the signature

Open the keyoxide.org/verify page and paste the signature in the corresponding field.

Scroll down and press the VERIFY SIGNATURE button.

Keyoxide lets you know the signature was verified and signed by a certain person.

Verify the signature against a specific public key

Sometimes, you want to know if a specific person or public key was used to create a signature. In this case, let's figure out if the message was signed by Yarmo's public key or his friend Wiktor's public key.

Copy the following fingerprint:

653909A2F0E37C106F5FAF546C8857E0D8E8F074

Paste it in the Email / key id / fingerprint field under Public Key (3: HKP server) and press the big button again. It could not be verified. Guess it wasn't Wiktor who signed that message.

Now, copy the following fingerprint:

9f0048ac0b23301e1f77e994909f6bd6f80f485d

Paste it in the same field and press the big button again. It did verify! It was Yarmo all along.

Going further

You could try using different mechanisms of fetching keys, such as web key directory or copy-pasting a plaintext public key.