Verifying GPG Tools using GPG Tools
To be clear, I'm not an expert on security. If your life or livelihood depends on secure communications, please be sure to explore trusted resources published by experts.
From what I understand, one should use this method only if you're running an existing version of GPG Tools that you trust. Here are the steps I took:
Went to https://gpgtools.org/ and downloaded the latest version
Clicked on the link for the "please download and import our updated key"
Got a big screen of scramble, and copied the URL from the browser window
In Terminal, I used that URL to import the key:
curl -0 https://gpgtools.org/GPGTools%2000D026C4.asc | gpg --import
Then I listed the keys on my keyring, with their fingerprints ...
gpg --list-keys --fingerprint
I see that the GPG Tools key is in my keyring, and that the key fingerprint listed matches the one currently at the bottom of the gpgtools.org web page.
pub 2048D/00D026C4 2010-08-19 [expires: 2018-08-19] Key fingerprint = 85E3 8F69 046B 44C1 EC9F B07B 76D7 8F05 00D0 26C4 uid [ultimate] GPGTools Team <email@example.com> uid [ultimate] GPGMail Project Team (Official OpenPGP Key) <firstname.lastname@example.org> uid [ultimate] GPGTools Project Team (Official OpenPGP Key) <email@example.com> uid [ultimate] [jpeg image of size 5871]
I download the GPG signature, using the "Download GPG Signature" link on that page
I then check the signature file (ends in .sig) against the original downloaded file (ends in .dmg)
gpg --verify GPG_Suite-2015.03-b6.dmg.sig GPG_Suite-2015.03-b6.dmg
And I got confirmation I'm good.
gpg: Good signature from "GPGTools Team <firstname.lastname@example.org>" [ultimate]
This method also works for other signed software, such as OnionShare.