How to verify the integrity of downloaded files on a Mac

I classify files available for download on the internet as the following:

• Respectable providers ship download files with signatures;
• Less respectable providers ship with checksums;
• Unrespectable providers ship only the download file.

The difference is mainly the following: a checksum allows you to verify that the download file hasn't been altered unexpectedly by someone you may not know. A signature allows you to verify the above plus that the file was signed by a certain someone, usually the creator of the file you downloaded. It may be advisable that you use the signature whenever there is one associated with a download file

The most popular way of digitally signing a file is using a private key in the realm of the web of trust. To get started, you can use the GNU Privacy Guard free software. If you don't have it on your Mac, you can install the Mac version. I've downloaded the dmg of version 1.4.8 and it worked like a charm.

After installing the GNU Privacy Guard, a command "gpg" is available to you in /usr/local/bin as well as some other utility programs. You can open a terminal and use

 $ gpg --verify foo.tar.gz.sig

to verify that the file foo.tar.gz matches with the signature file foo.tar.gz.sig. You can verify multiple files at once by

 $ gpg --verify-files *.sig

to verify the integrity of files. Read the manual ("man gpg") for more details.

Oops, an error!

If you see a message like

 gpg: Signature made Wed Dec 13 05:02:10 2006 CST using DSA key ID 64EA74AB
 gpg: Can't check signature: public key not found

from "gpg --verify", it means that the public key of the signer is not in your GPG keyring. Just load the public key of the signer to your keyring and off you go. The following is how I do it, your mileage may vary.

The longer route:

1. Go to http://pgp.mit.edu/, a popular public key server.
2. Type the key ID in the search box. Remember to add "0x" in front of the 8-character hex key ID. For the example above, I typed "0x64EA74AB".
3. If all goes well, you'll see a search result page listing one or more keys. Click on the key ID that matches to your input. Other keys belong to people that "vouch" for the key you searched.
   
4. The key server should then show you the public key of the key ID. Copy and paste the plain texts between "-----BEGIN PGP PUBLIC KEY BLOCK-----" and "-----END PGP PUBLIC KEY BLOCK-----" to a file on your computer, with these 2 lines included. Let's call the file "foo.txt".
5. Now import this key into your GPG keyring:

    $ gpg --import foo.txt

The shorter route: The 5 steps outlined above can be done in one command:

 $ gpg --recv-keys 0x64EA74AB

Now you have the public key of the signer in your keyring, you can verify the files signed by him/her using "gpg --verify".