Verifying release files with GPG

From Void Linux Wiki
Jump to: navigation, search

The sha256sums.txt files available at http://repo.voidlinux.eu/live and http://repo.voidlinux.eu/static are signed with my GPG key (Juan RP). To verify those are signed correctly use GnuPG:

$ gpg --recv-keys 482F9368
$ wget http://repo.voidlinux.eu/live/sha256sums.txt
$ wget http://repo.voidlinux.eu/live/sha256sums.txt.asc
$ LANG=C gpg --verify sha256sums.txt.asc 
gpg: assuming signed data in 'sha256sums.txt'
gpg: Signature made Sun Feb  8 12:33:05 2015 CET using RSA key ID 482F9368
gpg: Good signature from "Juan RP <xtraeme@gmail.com>" [unknown]
gpg:                 aka "[jpeg image of size 3503]" [unknown]
...

Now that the signature has been verified, you should check the sha256 hash is valid for the file you've downloaded... use the sha256sum utility and compare it with what's stored in the sha256sums.txt file.