Verifying release files with GPG
sha256sums.txt files available at https://alpha.de.repo.voidlinux.org/live and https://alpha.de.repo.voidlinux.org/static are signed with my GPG key (Juan RP). To verify those are signed correctly use
$ gpg --recv-keys 482F9368 $ wget http://repo.voidlinux.eu/live/sha256sums.txt $ wget http://repo.voidlinux.eu/live/sha256sums.txt.asc $ LANG=C gpg --verify sha256sums.txt.asc gpg: assuming signed data in 'sha256sums.txt' gpg: Signature made Sun Feb 8 12:33:05 2015 CET using RSA key ID 482F9368 gpg: Good signature from "Juan RP <firstname.lastname@example.org>" [unknown] gpg: aka "[jpeg image of size 3503]" [unknown] ...
Now that the signature has been verified, you should check the sha256 hash is valid for the file you've downloaded... use the
sha256sum utility and compare it with what's stored in the