This page explains how to verify the authenticity and integrity of packages.
Open a terminal window and follow the steps below:
Step-1: Extract the software package
Extract the TGZ file you received by email. This is a compressed file similar to Zip files on Windows. Most file managers will display an “Extract Here” option when you right-click the file.
Step-2: Import Public Key
Import my public key from the Ubuntu key server. You can skip this if you have imported my key previously.
sudo gpg --keyid-format long --keyserver hkp://keyserver.ubuntu.com --recv-keys 0x7D0E596BA81BB0D020834D85442392867C3B6F64
The output should say that the import was successful.
gpg: key 442392867C3B6F64: public key "Tony George firstname.lastname@example.org" imported
gpg: Total number processed: 1
gpg: imported: 1
Step-3: Verify Signature
Check if the signature is good:
gpg --verify CHECKSUM.sha512.sig
The output should say “Good signature” from “Tony George email@example.com” with the key id “7D0E596BA81BB0D020834D85442392867C3B6F64“
This validates that the file CHECKSUMS.sha512 was produced and signed by me.
gpg: assuming signed data in 'CHECKSUM.sha512'
gpg: Signature made Sunday 20 January 2019 07:54:37 PM IST
gpg: using RSA key 7D0E596BA81BB0D020834D85442392867C3B6F64
gpg: Good signature from "Tony George firstname.lastname@example.org" [ultimate]
Step-4: Verify Checksum
Check if the check-sums match:
shasum -c CHECKSUM.sha512
The status should be OK for every file.
This verifies that all files are original and intact, and have not been modified in any way.
Step-5: Install the packages
Install the packages by executing the install.sh file: