How to verify a downloaded file

The steps to verify a downloaded file from GParted project. Here we take gparted-live-1.1.0-5-amd64.iso and gparted-live-1.1.0-5-amd64.zip as an example:

1. Download CHECKSUMS.TXT, CHECKSUMS.TXT.gpg, gparted-live-1.1.0-5-amd64.iso and gparted-live-1.1.0-5-amd64.zip from GParted website.
2. Retrieve key from key server:
   
   

         $ gpg --keyserver hkps://keys.openpgp.org --recv-key 8E94C9CD163E3FB0
         Or
         $ gpg --keyserver hkp://keyserver.ubuntu.com --recv-key 8E94C9CD163E3FB0
       

3. Run the following command to verify CHECKSUMS.TXT:
   
   

        $ gpg --verify CHECKSUMS.TXT.gpg CHECKSUMS.TXT
        gpg: Signature made Fri 03 Jul 2020 08:43:17 PM CST
        gpg:                using RSA key EB1DD5BF6F88820BBCF5356C8E94C9CD163E3FB0
        gpg: Good signature from ...
        gpg: WARNING: This key is not certified with a trusted signature!
        gpg:          There is no indication that the signature belongs to the owner.
        Primary key fingerprint: EB1D D5BF 6F88 820B BCF5  356C 8E94 C9CD 163E 3FB0
       

   The "Good signature" shows the downloaded CHECKSUMS.TXT is successfully verified by CHECKSUMS.TXT.gpg.
   
   
4. Use the CHECKSUMS.TXT to verify the downloaded iso and zip file. Make sure they are in the same directory with CHECKSUMS.TXT. We use the command sha256sum to verify the checksums, but you can use md5sum, sha1sum, or sha512sum, too:
   
   

     $ sha256sum -c --ignore-missing CHECKSUMS.TXT
     gparted-live-1.1.0-5-amd64.iso: OK
     gparted-live-1.1.0-5-amd64.zip: OK
     sha256sum: WARNING: 22 lines are improperly formatted
     

   The "OK" after the file name shows the downloaded gparted-live-1.1.0-5-amd64.iso and gparted-live-1.1.0-5-amd64.zip are successfully checked by the SHA256 message digest.
   For more details, you can refer to this tutorial.