How to verify the integrity of a software package


First, get my secondary PGP key:


You can also download it from here.

Say, you named the key tom.key. Use this command to add the key to your keyring using GNUPG:

 % gpg --import tom.key 

Next, download the desired spftware package and the associated signature file. In our example we will use the server-firewall:



Now, grab the associated signature file: server-firewall-1.0.1.tar.gz.sig.


If you 've got everything in place, enter this command to verify if the downloaded file matches with the signature file I made the other day:

 % gpg --verify server-firewall-1.0.1.tar.gz.sig server-firewall-1.0.1.tar.gz 

You should now receive the following output: