Is there a straightforward HOWTO somewhere on how to use gpg to verify downloads when a sig is provided?
It doesn't really seem worth a HOW-TO... at the simplest it's just:
% gpg --verify detached_signature file_to_check
If you have the correct key to verify against downloaded as well (recommended) then do this first, otherwise it will just say whether the signature is good or not, but not verify who signed it:
% gpg --import publlic_key_file
This will work for most source code distributions. If you want to verify the signature on an rpm file, you need to use the rpm command's built in mechanism instead, however:
% rpm -K rpm_file_to_verify.rpm
If it complains about missing keys, go to the repository where you acquired the rpm and download their public key (it should be prominantly displayed), then run:
% rpm --import keyfile
