download the sums file and the corresponding ".sign" file, e.g. SHA512SUMS and SHA512SUMS.sign Then: gpg --verify SHA512SUMS.sign This will complain: gpg: directory `/home/general/.gnupg' created gpg: new configuration file `/home/general/.gnupg/gpg.conf' created gpg: WARNING: options in `/home/general/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/general/.gnupg/pubring.gpg' created gpg: Signature made Mon 28 Apr 2014 19:31:12 PDT using RSA key ID 6294BE9B gpg: Can't check signature: public key not found Use that key ID to get the key from the debian key server: gpg --keyserver keyring.debian.org --recv-keys 6294BE9B gpg: requesting key 6294BE9B from hkp server keyring.debian.org gpg: /home/general/.gnupg/trustdb.gpg: trustdb created gpg: key 6294BE9B: public key "Debian CD signing key <email@example.com>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) Now you can verify the signature: gpg --verify SHA512SUMS.sign gpg: Signature made Mon 28 Apr 2014 19:31:12 PDT using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key <firstname.lastname@example.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B Now go to https://www.debian.org/CD/verify and check that that fingerprint is there. Now verify the checksums: sha512sum -c SHA512SUMS If that returns "OK" for the file you downloaded, it is a good file.