1. generate key-pair of yourself using
2. Download desired file and its signature. The signature is supposed from person Joe
The desired file: abc.tar.gz
Its signature: abc.tar.gz.sig
3. Obtain the public key of Joe using
gpg --import KEY-FILE
gpg --keyserver pgpkeys.mit.edu --recv-key KEY-ID
Here KEY-FILE is the name of the file for the public key of Joe. This file needs to be obtained from Joe or other trusted source.
KEY-ID is the id of the public key of Joe. It should be obtained from Joe or other trusted source.
4. Verify that the signature using is signed using the public key
gpg --verify abc.tar.gz.sig
5. Make sure the key actually belongs to Joe by confirming the key fingerprint of the public key. The ultimate confirmation is by face to face communication.
gpg --fingerprint KEY-ID
6. If you trust Joe and are sure the public key belongs to Joe, you can sign the public key of Joe using
gpg --sign-key KEY-ID