Since version 0.25 each source tarball is accompanied by a file with the same name and the extension ".asc".

These are PGP signatures, so you can verify that the file you've downloaded is exactly the one that we intended you to get. The tarballs are signed by the developer, Robert Hogan, with key 0x22F6856F.

To import this key, do the following at the command line: 

gpg --keyserver subkeys.pgp.net --recv-keys 0x22F6856F

The fingerprint for this key is:

gpg: NOTE: old default options file `/home/robert/.gnupg/options' ignored
pub   1024D/22F6856F 2006-08-19
      Key fingerprint = DDB4 6B5B 7950 CD47 E59B  5189 4C09 25CF 22F6 856F
uid                  Robert Hogan < >
sub   1024g/FC4A9460 2006-08-19

  So to verify the tarball you put the tarball and the '.asc' file in the same directory. Then do (changing '0.25' to the appropriate version number):

gpg --verify tork-0.25.tar.bz2.asc 

 The output should be something like:

gpg: Signature made Fri 28 Dec 2007 07:58:27 PM GMT using DSA key ID 22F6856F
gpg: Good signature from "Robert Hogan < >"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:                      There is no indication that the signature belongs to the owner.

 You can remove the warning by electing to trust the developer's signing key.

This is what a BAD verification response looks like:

gpg --verify tork-0.25.tar.bz2.asc
gpg: Signature made Wed Feb 23 01:33:29 2005 EST using DSA key ID 22F6856F
gpg: BAD signature from "Robert Hogan < >"