You have the option to verify the file you just downloaded. The following options of verifying the download are available:
You can check the file's MD5 sum so you know whether the file has arrived on your machine intact.
Step 1: Download the MD5 sum here.
Step 2: Open a terminal, enter the directory you downloaded the file to, and type this:
md5sum --check "atrinik-4.0.0-Linux.deb.md5"You should see something like atrinik-4.0.0-Linux.deb: OK. If not, the MD5 sum didn't match and you shouldn't use the file; delete it and try downloading it again.
MD5 sum on Windows
This is how you verify MD5 Checksums under Windows. You can check the file's MD5 sum so you know whether the file has arrived on your machine intact.
Step 1: Download and install digestIT. digestIT is a tool for checking SHA-1 and MD5 hashes that should be easy to use for most Windows users.
Step 2: Download the MD5 sum here.
Step 3: Open the md5 file in a text editor such as Notepad and copy the first part of it. This should be the MD5 Hash.
Step 4: Go to the folder where you saved the client installer. Right click the file and select digestIT -> Verify MD5 Hash (or Calculate MD5 Hash).
Step 5: Paste the MD5 sum and click OK. If the checksums match, you will see: "Digest matches. Verification succeeded." If you select "Calculate MD5 Hash" then you will need to visually compare the calculated MD5 with the one you downloaded.
If the MD5 sum doesn't match you shouldn't use the file; delete it and try downloading it again.
Verifying the file's signature lets you check that the file is exactly as intended. If the signature is not valid, you should not trust the file.
Step 1: Download the digital signature here.
Step 2: Get the public key:
gpg --keyserver wwwkeys.pgp.net --recv-keys 2A3C0B6CStep 3: Verify the file's signature:
gpg --verify atrinik-4.0.0-Linux.deb.ascStep 4: Now you can verify that the public key is owned by someone that you trust from Atrinik. Visit Launchpad's people search page and search for the person's name or email from the output of gpg --verify in previous step. From their profile page, you can check their involvement in Atrinik and also that they own the key used to sign the file you downloaded.
See the GPG manual for help with gpg.