How to verify downloaded file with .sig file?

Question

When I download GCC, it also has a .sig file, and I think it is provided to verify downloaded file. (I downloaded GCC from here).

But I can\'t figure out ho

Answer 1

This other avenue is particularly useful for verifying GNU projects (e.g. Octave) since the key requested by their signature may not be found in any key server.

From http://ftp.gnu.org/README

There are also .sig files, which contain detached GPG signatures of the above files, automatically signed by the same script that generates them.

You can verify the signatures for gnu project files with the keyring file from:

https://ftp.gnu.org/gnu/gnu-keyring.gpg

In a directory with the keyring file, the source file to verify and the signature file, the command to use is:

$ gpg --verify --keyring ./gnu-keyring.gpg foo.tar.xz.sig