You can verify downloaded file using PGP signature. Alternatively use SHA256 key verification. So how does it work? First of all you need to download two files the and Lets take a look on example when downloading phpMyAdmin package (see instruction here and file download here).

file and two signatures
The example content of .asc file
The example content of .sha256 file (not coverd in this tutorial) to see sha256 verification go to this post

Navigate to download folder (in git.bash use)

cd /c/Users/SYMFONY/Downloads

Now proceed as instructed by phpMyAdmin instruction.

gpg --verify
gpg --verify
As we got promed we did not use public key. So lets do that now. We can do it in two ways. One dwnload public key manually our download server and import it from the file:
gpg --import phpmyadmin.keyring

or try to import key directly from cli like this:

gpg --keyserver hkp:// --recv-keys 3D06A59ECE730EB71B511C17CE752F178259BD92

Now you can verify the file using this key:

gpg --verify

As you see we where able to verify downloaded file but we still have a warning shown which worn as about key is not certified with a trusted signature. According to

“The problem here is that anybody could issue the key with this name. You need to ensure that the key is actually owned by the mentioned person. The GNU Privacy Handbook covers this topic in the chapter Validating other keys on your public keyring. The most reliable method is to meet the developer in person and exchange key fingerprints, however, you can also rely on the web of trust. This way you can trust the key transitively though signatures of others, who have met the developer in person.

Once the key is trusted, the warning will not occur.”

Would love your thoughts, please comment.x