Where is the PGP Verification taking place? In Linux CLI commandline installation

tee will write its input to the specified file, as well as stdout. Looks to me like this is in the instructions for ‘visibility’ purposes, i.e. to print on the terminal what is also being written out to the file.

After that, the ‘signed-by’ option appears to be explained here:

https://manpages.debian.org/bullseye/apt/sources.list.5.en.html

So in short, the curl writes out the key file, and the subsequent command tells your package manager (apt) to use that exact key for verifying packages from the Brave repo.

After that, it is the responsibility of your package manager to perform PGP/GPG verification of packages it gets from that repo. This should be happening automatically every time a new package is downloaded.

If you really wanted to verify the files by hand I suggest looking this up in some of the Debian docs as this would be specific to the .deb package format.

1 Like