Tarballs integrity check

You have to check downloaded archives integrity and verify their signature to be sure that you have got trusted, untampered software. For integrity and authentication of downloaded binaries GNU Privacy Guard is used. You must download signature (.sig) provided with the tarball.

For the very first time you need to import signing public key. It is provided below, but it is better to check alternative resources with it.

pub   rsa2048/0xF2F59045FFE2F4A1 2015-03-10
      D269 9B73 3C41 2068 D8DA  656E F2F5 9045 FFE2 F4A1
uid   GoVPN releases <releases at govpn dot info>

• This website alternates and maillist containing public key fingerprint.

• $ gpg --auto-key-locate dane --locate-keys releases at govpn dot info
  $ gpg --auto-key-locate wkd --locate-keys releases at govpn dot info
  

• -----BEGIN PGP PUBLIC KEY BLOCK-----
  
  mQENBFT/H6cBCADTf/oqoTTBAA/CCQuYtzg8vrXxyjXj9yy4lTWqMSwgLXMm8br/
  kG0Jnk63oP3hggI3hm2mpuiNwpwrJiORLBZCe8JgZW71zG4LfhVpQeWd7fu8WxDx
  0uUZWByz5KcK8c/kNWNDpSkMmmqdE/8v0YDFbsz5U+ytp/Kki/gj3BCeIX3jYOL1
  fxczkv2okoU+aGYXt9z50VzheLUSRLzkkX8yNSpszqfB0LEEmUk8HO2fSS/bXwaY
  ZXX5//suH8V5hwq8vB8dHHCquZW6blyzcTa2KGIh6g2CmpypIQp/i5QAbzOCHKTM
  A1F7A1r0kYF2WfZOrycCfjUx3GA5B7sytuA3ABEBAAG0JEdvVlBOIHJlbGVhc2Vz
  IDxyZWxlYXNlc0Bnb3Zwbi5pbmZvPokBQAQTAQgAKgUCV8sB0wIbAwwLCgkNCAwH
  CwMEAQIHFQoJCAsDAgUWAgEDAAIeAQIXgAAKCRDy9ZBF/+L0oTYyCADJJl4+7Px1
  baF9s1n9EoNsSLTd0QiModJ2bRdX8TBpCeOHIPIOZAKre3Ys3ox6MOcnZyApO141
  7NS557WNcmLyk+f274HqZurveZr/sc3MMdFvkPJ78LOueI6ttx9WlhXAingGR3ax
  +m1ZY7vSfkrGJ7gwUE6ZVZKE1MbM1UIKqazRzTeu7wiiyXEpLYDWgNXSmg9Gl6oF
  EecChlcDp5VDQIaDzHyibUgBdwt32BX07AZcGHB7vIyPUavQJBqhg68hHjGoyFYA
  N+OHCAoqaIfHJUW2xYmvfa0cy3wd02NJWsiw4htxdI+JzcbRnE/XKPIeOr6L0oFB
  LoTku6Vg75g8iF4EEBEIAAYFAlfLAzQACgkQrhqBCeSYV+82HAD9HSVRIV8Li0MD
  pNNLMK6G9SLkvsBVOIBau5Oj1LEWeXcA/3vMiAtypumglnfEhBsa5OLFHgznsBJ2
  JJjYFGQMjWTG
  =RI3T
  -----END PGP PUBLIC KEY BLOCK-----
  

Then you could verify tarballs signature:

$ gpg --verify govpn-2.3.tar.xz.sig govpn-2.3.tar.xz