How to verify a file using an asc signature file?

  • Download the key file:
  • Inspect the key file to confirm it has EE1B0E6B2D8387B7 as its keyid.
gpg --keyid-format long --list-options show-keyring OSSEC-ARCHIVE-KEY.asc
  • If correct, then import the key:
gpg --import OSSEC-ARCHIVE-KEY.asc
  • Download the software package
  • Download the signature file
  • Verify it
gpg --verify ossec-hids-2.9.3.tar.gz.asc 2.9.3.tar.gz


gpg: Signature made Sat Dec 23 16:13:01 2017 UTC
gpg:                using RSA key EE1B0E6B2D8387B7
gpg: Good signature from "Scott R. Shinn <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B50F B194 7A0A E311 45D0  5FAD EE1B 0E6B 2D83 87B7