To be clear, I'm not an expert on security. If your life or livelihood depends on secure communications, please be sure to explore trusted resources published by experts.
From what I understand, one should use this method only if you're running an existing version of GPG Tools that you trust. Here are the steps I took:
-
Went to https://gpgtools.org/ and downloaded the latest version
-
Clicked on the link for the "please download and import our updated key"
-
Got a big screen of scramble, and copied the URL from the browser window
-
In Terminal, I used that URL to import the key:
curl -0 https://gpgtools.org/GPGTools%2000D026C4.asc | gpg --import -
Then I listed the keys on my keyring, with their fingerprints ...
gpg --list-keys --fingerprint -
I see that the GPG Tools key is in my keyring, and that the key fingerprint listed matches the one currently at the bottom of the gpgtools.org web page.
pub 2048D/00D026C4 2010-08-19 [expires: 2018-08-19]
Key fingerprint = 85E3 8F69 046B 44C1 EC9F B07B 76D7 8F05 00D0 26C4
uid [ultimate] GPGTools Team <team@gpgtools.org>
uid [ultimate] GPGMail Project Team (Official OpenPGP Key) <gpgmail-devel@lists.gpgmail.org>
uid [ultimate] GPGTools Project Team (Official OpenPGP Key) <gpgtools-org@lists.gpgtools.org>
uid [ultimate] [jpeg image of size 5871]
-
I download the GPG signature, using the "Download GPG Signature" link on that page
-
I then check the signature file (ends in .sig) against the original downloaded file (ends in .dmg)
gpg --verify GPG_Suite-2015.03-b6.dmg.sig GPG_Suite-2015.03-b6.dmg -
And I got confirmation I'm good.
gpg: Good signature from "GPGTools Team <team@gpgtools.org>" [ultimate]
This method also works for other signed software, such as OnionShare.