Several archives distributed onto this site are cryptographically signed using OpenPGP-compliant signatures. Everyone is encouraged to check the integrity of the downloaded content by verifying its corresponding signature. The signing and verification process ensures that the downloaded files were not modified or tampered since their creation and thus prevents anyone to use corrupted files.
On GNU/Linux, the most common way for verifying the PGP signature is to use
GnuPG. First ensure that GnuPG is installed
on your system. Then download the archive and its PGP signature and use the
gpg2 command to check the integrity of the archive against its
$ wget www.meso-star.com/solstice/downloads/Archive-Name-GNU-Linux64.tar.gz $ wget www.meso-star.com/solstice/downloads/Archive-Name-GNU-Linux64.tar.gz.sig $ gpg2 --verify Archive-Name-GNU-Linux64.tar.gz.sig
The first time you may obtain the likely output:
gpg: Signature made Wed 20 Sep 2017 08:28:35 AM CEST using RSA key 7322B68F7896C455 gpg: Can't check signature: No public key
This means that you do not have the public part of the PGP key used to sign
this archive. In the previous example the key identifier is
gpg2 to download this key from
the PGP keyserver.
$ gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --recv-keys 7322B68F7896C455
Now you can check the integrity of the archive with respect to the previously downloaded public-key.
$ gpg2 --verify Archive-Name-GNU-Linux64.tar.gz.sig gpg: assuming signed data in 'Archive-Name-GNU-Linux64.tar.gz' gpg: Signature made Tue 26 Sep 2017 09:28:40 AM CEST gpg: using RSA key 1F494948BAA4F5F4A0AF82FF7322B68F7896C455 gpg: Good signature from "Vincent Forest (http://www.meso-star.com) gpg: <email@example.com>" [ultimate] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 20EB E4CF 3D9F 4B9A E55D 5F59 679F 2975 93B2 C8A2 Subkey fingerprint: 1F49 4948 BAA4 F5F4 A0AF 82FF 7322 B68F 7896 C455
Note that GnuPG warns that the key is not certified. In other words you
cannot be sure that the key used to sign the archive really belongs to the
owner. The best option is to physically meet the actual owner and ask for him
about the key validity. More simply, but also less secure, you can review the
list of signatures of the key with
gpg2 --list-sigs and then make a
decision whether you trust that key or
On Windows, you can use the GPG4Win tool to verify the archive signature. The process is roughly the same that on GNU/Linux: you first have to import the public key used to sign the archive before verifying its integrity and checking that the imported key really belongs to the owner.