shell – 如何验证下载的文件与.sig文件？

可以在三个步骤完成。

1)查找公钥ID：

$ gpg gcc-4.7.2.tar.gz.sig 
gpg: Signature made ?t20.zá?í2012,12:30:44CEST using DSA key ID C3C45C06
gpg: Can't check signature: No public key

2)从密钥服务器导入公钥。通常不需要选择密钥服务器，但可以使用–keyserver< server>来完成。 Keyserver examples.

$ gpg --recv-key C3C45C06
gpg: requesting key C3C45C06 from hkp server keys.gnupg.net
gpg: key C3C45C06: public key "Jakub Jelinek <jakub@redhat.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

3)验证签名：

$ gpg gcc-4.7.2.tar.gz.sig 
gpg: Signature made ?t20.zá?í2012,12:30:44CEST using DSA key ID C3C45C06
gpg: Good signature from "Jakub Jelinek <jakub@redhat.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 33C2 35A3 4C46 AA3F FB29  3709 A328 C3A2 C3C4 5C06

输出应该说“好签名”。

gpg: WARNING: This key is not certified with a trusted signature!

是另一个问题;)