Verifying something that I've signed

Sometimes when I release software, or put other bits of data out there, I will sign them with my key to show that they really came from me. Usually I will do this with a detached signature, that is, one in a different file. If you want to verify that my key was used for the signature, do the following:

First, fetch the key from the key server.

gpg --recv-keys --keyserver pool.sks-keyservers.net E88432C3

Then, use it to verify the signature. Assume that I'm distributing a file example.tar.bz2 and I've given you signature example.tar.bz2.asc.

gpg --verify example.tar.bz2.asc example.tar.bz2

In fact, as long as the signature's filename is the same as the file it signs, but postpended with '.asc', only the first argument is required.

If all is well you should see a message confirming a good signature and giving my name and email address, as it appears in the key:

gpg: Good signature from "Simon Rawles <email address>"