How to verify the integrity of a software package

1.

First, get my secondary PGP key:

/images/key.png

You can also download it from here.

Say, you named the key tom.key. Use this command to add the key to your keyring using GNUPG:

 % gpg --import tom.key 
2.

Next, download the desired spftware package and the associated signature file. In our example we will use the server-firewall:

server-firewall-1.0.1.tar.gz

3.

Now, grab the associated signature file: server-firewall-1.0.1.tar.gz.sig.

4.

If you 've got everything in place, enter this command to verify if the downloaded file matches with the signature file I made the other day:

 % gpg --verify server-firewall-1.0.1.tar.gz.sig server-firewall-1.0.1.tar.gz 

You should now receive the following output:

/images/verify.png