Whenever you are downloading any software, you should look if authors/signer’s key and pgp key is available so you can import the pgp key using gpg tool and then verify if that software is signed by the author.
I have downloaded postfix softare from http://mirror.postfix.jp/postfix-release/index.html
[root@centos downloads]# ll
total 3752
-rw-r–r–. 1 root root 3827595 Jun 22 16:27 postfix-2.10.1.tar.gz (Software)
-rw-r–r–. 1 root root 280 Jun 22 16:28 postfix-2.10.1.tar.gz.sig (Sign)
-rw-r–r–. 1 root root 6390 Feb 28 2005 wietse.pgp (pgp)
You have to import the GPG key using the following command:
[root@centos downloads]# gpg –import wietse.pgp
gpg: key C12BCD99: public key “Wietse Venema ” imported
gpg: key D5327CB9: public key “wietse venema ” imported
gpg: Total number processed: 2
gpg: imported: 2 (RSA: 2)
gpg: no ultimately trusted keys found
You can now check for the imported keys as follows:
[root@centos downloads]# gpg –list-keys
/root/.gnupg/pubring.gpg
————————
pub 2048R/C12BCD99 2005-02-28
uid Wietse Venema
pub 1022R/D5327CB9 1992-09-25
uid wietse venema
uid wietse venema
Now, we are verifying the signature against the software as follows:
[root@centos downloads]# gpg –verify postfix-2.10.1.tar.gz.sig postfix-2.10.1.tar.gz
gpg: Signature made Sun 23 Jun 2013 05:28:00 AM IST using RSA key ID C12BCD99
gpg: Good signature from “Wietse Venema “
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FF 96 4A 8C 96 88 7C 6E A4 EF AD BF 48 34 E1 BB
In the above output, we are just checking if author has signed the software and that’s confirmed by the line marked in bold (gpg: Good signature from “Wietse Venema “).
Now, you can go ahead and install/configure the software.