How-to-verify-signature-of-downloaded-source-file-with-gpg

Download PGP public key block, Signature and the software.tar.gz

Import the PGP public key block

$ gpg --import wietse.pgp 
gpg: key C12BCD99: public key "Wietse Venema <wietse@porcupine.org>" imported
gpg: key D5327CB9: public key "wietse venema <wietse@porcupine.org>" imported
gpg: Total number processed: 2
gpg:               imported: 2  (RSA: 2)
gpg: no ultimately trusted keys found


:~/postfix$ file wietse.pgp
wietse.pgp: PGP public key block

List Keys

:~/postfix$ gpg --list-keys
/home/jyothis/.gnupg/pubring.gpg
--------------------------------
pub   2048R/C12BCD99 2005-02-28
uid                  Wietse Venema <wietse@porcupine.org>

pub   1022R/D5327CB9 1992-09-25
uid                  wietse venema <wietse@porcupine.org>
uid                  wietse venema <wietse@wzv.win.tue.nl>

Verify Signature

:~/postfix$ gpg --verify postfix-2.6.5.tar.gz.sig postfix-2.6.5.tar.gz
gpg: Signature made Sat Aug 29 00:50:08 2009 UTC using RSA key ID C12BCD99
gpg: Good signature from "Wietse Venema <wietse@porcupine.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: FF 96 4A 8C 96 88 7C 6E  A4 EF AD BF 48 34 E1 BB
:~/postfix$