Why check signatures?
Checksums such as MD5 and SHA-256 help you answer the question “Did I download this file correctly from whoever sent it to me?” They do a good job at making sure you didn't have any random errors in your download, but they don't help you figure out whether you were downloading it from an attacker. The better question to answer is: “Is this file that I just downloaded really coming from the project developers, or has it been tampered with?” That's what GPG signatures are for.
Download accompanying signature file (.asc)
Signature files are available for each Electrum-GAME package. When you
download a package, make sure you also download its accompanying
signature by clicking on the “signature” link next to it on the download page.
For example, to verify the file
Electrum-GAME-3.2.3.tar.gz you will need the signature file
Use the below instructions if you're using Linux and have GnuPG installed. The Tor Project provides more detailed instructions for Windows and OS X. The signature key to use for Electrum-GAME is
Import signing key from keyserver
Type this in a terminal:
gpg --keyserver keys.fedoraproject.org --recv-keys 0x02f6c8b9d8801f94
You should see:
gpg: trustdb created gpg: key 02F6C8B9D8801F94: public key "Samad Sajanlal
" imported gpg: Total number processed: 1 gpg: imported: 1
Verify that the imported fingerprint is correct
gpg --fingerprint 0x02f6c8b9d8801f94
You should see:
pub rsa4096 2018-10-15 [SC] [expires: 2022-10-15] 9E27 DCCB 1520 DAB5 E09C 112A 02F6 C8B9 D880 1F94 uid [ unknown] Samad Sajanlal
sub rsa4096 2018-10-15 [E] [expires: 2022-10-15]
Verify signature of downloaded file
gpg --verify Electrum-GAME-3.2.3.tar.gz.asc Electrum-GAME-3.2.3.tar.gz
The output should say “Good signature”:
gpg: Signature made Sat Oct 20 16:59:42 2018 CDT gpg: using RSA key 9E27DCCB1520DAB5E09C112A02F6C8B9D8801F94 gpg: Good signature from "Samad Sajanlal
Notice that there may be a warning because you haven't assigned a trust index to this person.
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
This means that GnuPG verified that the key made that signature, but it's up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.
Thanks to Andre Mueller for originally writing these instructions.