Hi,

I'm having a really hard time using gpg to verify files, namely because I don't know where the hell to start. I've already browsed through countless similar threads, but none of them made me any wiser.

Now, I have downloaded gcc-4.1.1.tar.bz2 and it's sig file gcc-4.1.1.tar.bz2.sig.

How exactly do I go about verifying the bz2 archive using the sig file? I know it involves downloading a public key, but I honestly have no idea how to do so, and I can't find any pointers/instructions on the gnu main page.

Some threads mentioned using something like gpg --keyserver wwwkeys.gnu.org --import <ID>, but I have absolutely no idea what ID to use and how to obtain it. I'm overlooking something very obvious, I'm sure, but what?

Thank you.

yes ,i want to follow this thread on gpg.
I have no idea too how to import the ID or key into my linux.
things like gpgcheck =1 or 0 in *conf -files

GPG cheatsheet

Thank you for the generic RTFM answer, but I'm sorry to say it doesn't answer my question at all. I have read the basic documentation about gpg.

I guess my problem isn't how to use gpg, but rather how to obtain a public key from gnu.org. How would I download a local copy of a public key from gnu.org? Where is the public key I need, and how do I obtain it?

Really didn't mean to give the RTMF answer I guess that is what I gathered from the information you provided earlier. Ok this might be if assistance and promise it isn't a RTMF answer.
where key number should be provided by the people you are downloading the file you are verifying, also the server subkeys.pgp.net could be different so you might want to ask them that too. Then offcourse
Again not my intention to post an RTFM answer. I have gone through that believe me.

http://www.gnu.org/software/gcc/mirrors.html

Retrieve the listed keys from your preferred keyserver..

i.e.
gpg --keyserver pgp.mit.edu --recv-key 0x745C015A

Many, many thanks. That's exactly what I was looking for. Still, listing the keys on the mirrors.html page? I'd never have thought to look there, it makes no sense. Ugh..

No problem, we're all friends here.

Anyway, I got it working now, the only problem is that gpg outputs that the key isn't "trusted", but I hear it's really a minor issue and I'm sure I can figure it out by myself anyhow.

Oh, and it seems I misunderstood gpg's purpose from the very start, gpg can't be used to check for data corruption in files, can it? If not, then I wonder why sites like gnu only put up sign files and not sha1/md5.

well you can sign a file with gpg. then use gpg to check the signature. if the file has been changed in any way the signature check should fail.. also if thew file fai the signatre check it could mean someone else put the file there instead of the key owner.. either way if the check fails don't trust the file.

untrusted just means you haven't set the key trust level on your end. just having a key in your ring doesn't mean you explicitly trust that key. there are about 5 levels of trust you can set for a key.

A good way to get familiar with gpg is to install thunderbird and the enimail plugin then you have a nice interface you can use to manage gpg keys for your email. you can visually see the trust levels set, the keys you have countersigned, and submitted back to the key servers etc..

gpg is good stuff