Verifying release files with GPG
From Void Linux Wiki
$ gpg --recv-keys 482F9368 $ wget http://repo.voidlinux.eu/live/sha256sums.txt $ wget http://repo.voidlinux.eu/live/sha256sums.txt.asc $ LANG=C gpg --verify sha256sums.txt.asc gpg: assuming signed data in 'sha256sums.txt' gpg: Signature made Sun Feb 8 12:33:05 2015 CET using RSA key ID 482F9368 gpg: Good signature from "Juan RP <email@example.com>" [unknown] gpg: aka "[jpeg image of size 3503]" [unknown] ...
Now that the signature has been verified, you should check the sha256 hash is valid for the file you've downloaded... use the
sha256sum utility and compare it with what's stored in the