Verifying package integrity
Packages are hashed using the sha512sum utility. We provide the hash and we provide both signature for the hash and the file. .sig are gpg signature files , while sha512 file are hash files. So for a file names xxxxx.zzz, you'll find 3 other files. One xxxx.zzz.sha512 file to verify the file integrity. One xxxxx.zzz.sha512.sig file to verify that the file was produced by 3liz and one xxxx.zzz.sig file to attest that the pakage you downloaded was produced by our team.
Verifying packages hash (.sha512)
simply run the command sha512sum --check xxxx.zzz.sha512 while both xxx.zzz.sha512 and xxxx.zzz are in the same directory.
verifying signature (.sig)
you'll need gpg installed as welle as our key install. our key is release@3liz.org. You can download it here. You need to import the key in gpg with the command gpg --import key , or do a gpg --search release@3liz.org and import the key that way
Once you have the key, you need to run gpg --verify file.sig file.