Follow these steps to verify the signature of a gzipped tarball:

1. Add the public key of the person or organization that created the package.

2. Sign the public key using GPG.You can either use GPG’s --sign command, or you can enter GPG’s interactive mode.

3. Once you have added and signed the public key of the person who owns the package, enter the following command: gpg --verify signaturefile.tar.gz taballpackage.gz.

You will then receive a message either that the signature is good, or that the public key cannot be found. If the public key cannot be found, you must obtain another public key, or you will not be able to verify who owns the package.

Using Md5sum

Sometimes, a developer will use the md5sum command to generate a hash of the file.You can use this hash and the md5sum command to ensure that the file has not been altered.The easiest way to do this is to read the hash that the developer generated, download the binary in question, and then run md5sum against it.

For example, suppose that you learn that the wu-ftpd daemon (the daemon responsible for providing FTP on many sites) has a security problem.You wish to install the latest secure version. After downloading it, you run md5sum against the file:

md5sum wu-ftpd-2.8.1-6.i386.rpm
t412cfhh5bf1376cia9da6c5dd86a463 wu-ftpd-2.6.1-6.i386.rpm

However, you notice that the developer’s md5sum value for the same program reads as follows:

y415cfgz5bf1356cib8da6c5dd8da0k5

You should then delete the file and find another source where you can verify the md5sum hash.