I just downloaded the latest version of MediaWiki and want to check it's authenticity. They provide a signature file on their download page http://www.mediawiki.org/wiki/Download. How would one use this with the gpg command on Linux?
The process I have used on Ubuntu 12.04 is as follows
(1) Download the mediawiki code
wget http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.2.tar.gz
(2) Download the signature file
wget http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.2.tar.gz.sig
(3) Get the public keys of mediawiki signers
Click on the GPG keys link and then click "Get keys as a text bundle", or just go straight to: https://www.mediawiki.org/keys/keys.txt.
Save the file as keys.txt
(4) Import the public keys
gpg --import keys.txt
(5) Verify the file
gpg --verify mediawiki-1.20.2.tar.gz.sig
This is successful but I do receive the following warning however:
gpg: WARNING: This key is not certified with a trusted signature!<br />
gpg: There is no indication that the signature belongs to the owner.
Since I downloaded the keys from what I believe to be a trusted source I am not worried about this. There must be a way to mark keys as trusted.