35.3 Verifying Samba's PGP SignatureIt is strongly recommended that you verify the PGP signature for any source file before installing it. Even if you're not downloading from a mirror site, verifying PGP signatures should be a standard reflex. Many people today use the GNU GPG toolset in place of PGP. GPG can substitute for PGP. With that said, go ahead and download the following files: $ wget http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.asc $ wget http://us1.samba.org/samba/ftp/samba-pubkey.asc The first file is the PGP signature for the Samba source file; the other is the Samba public PGP key itself. Import the public PGP key with: $ gpg --import samba-pubkey.asc and verify the Samba source code integrity with: $ gzip -d samba-2.2.8a.tar.gz $ gpg --verify samba-2.2.8a.tar.asc If you receive a message like, " Good signature from Samba Distribution Verification Key... " then all is well. The warnings about trust relationships can be ignored. An example of what you would not want to see would be: gpg: BAD signature from Samba Distribution Verification Key |