1.Get the public signing key of the provider of your downloaded file from trusted sources (eg: official website,multiple forums, keyservers, etc)
2.Download your file (filename.iso,zip,etc) & its respective gpg files (checksums.txt,gpg,etc). In this example, we will verify a downloaded clonezilla.zip by using its gpg files of gpgkey.asc, checksums.txt & checksums.txt.gpg.
3.Open terminal on the folder where all your downloaded files (this example is my downloads folder) & import the signing key.
gpg --import gpgkey.asc
4.Verify the signed gpg files:
gpg --verify CHECKSUMS.TXT.gpg CHECKSUMS.TXT
5.If it shows good signature, it means the those checksums files are signed by the signing key, now we just need to verify the downloaded .zip file is hashed as the same sha256sum in the .txt file or not. To find out the sha256sum of all .zip in the folder, run:
sha256sum -b *.zip
6.Compare the sha256sum of .zip file with the sha256sum in CHECKSUMS.TXT:
sha256sum --ignore-missing -c CHECKSUMS.TXT
7.If it shows OK as below, it means the downloaded file is verified. In this case, it seems like this is verified by the key of pub 4096R/45599AFD. Cheers
Follow & support @sylviabrowyn
bitcoin: 16LU4iUtePmTgNxdHP57GecL4Z64dLtS2b
ethereum: 0x235119b56c2dcb124a3a0e0907b58c3492744caa
gamecredits: GLoB8UqgS1AHCXB9ZRTQnK2WF2R4aLaXDK
litecoin: LYujeNFJ5xL4UvJpSNPWC7XCbEEvGqr1cK
zcash: t1PrZbxeQ2VA3VQUHscN4vnALPb6ihrhpjk
stratis: SfBhJ6irSowwNxeKv64w3zDMNNgaA3Cfgk
dash: XuF69by15R8ZA19euh2UNM2WwUiMpCYF4h
bitcoincash: 1Gd2ohdr9uqQpyeUHdTr6gVmfzSD2brx7y