Verifying something that I've signed
Sometimes when I release software, or put other bits of data out there, I will sign them with my key to show that they really came from me. Usually I will do this with a detached signature, that is, one in a different file. If you want to verify that my key was used for the signature, do the following:
First, fetch the key from the key server.
gpg --recv-keys --keyserver pool.sks-keyservers.net E88432C3
Then, use it to verify the signature. Assume that I'm distributing a file
example.tar.bz2 and I've given you signature
gpg --verify example.tar.bz2.asc example.tar.bz2
In fact, as long as the signature's filename is the same as the file it signs,
but postpended with '
.asc', only the first argument is required.
If all is well you should see a message confirming a good signature and giving my name and email address, as it appears in the key:
gpg: Good signature from "Simon Rawles <email address>"