How to verify the integrity of a software package
- 1.
- 2.
- 3.
- 4.
First, get my secondary PGP key:
|http://search.keyserver.net:11371/pks/lookup?template=netensearch%2Cnetennomatch%2Cnetenerror&search=tom%40co.daemon.de&op=index&fingerprint=on>
![](<img src="/assets/images/key.png){kind=link}
You can also download it from here.
Say, you named the key tom.key. Use this command to add the key to your keyring using GNUPG:
% gpg --import tom.key
Next, download the desired spftware package and the associated signature file. In our example we will use the server-firewall:
Now, grab the associated signature file: server-firewall-1.0.1.tar.gz.sig.
If you 've got everything in place, enter this command to verify if the downloaded file matches with the signature file I made the other day:
% gpg --verify server-firewall-1.0.1.tar.gz.sig server-firewall-1.0.1.tar.gz
You should now receive the following output:
