The signing key ID used for repmgr source code bundles is: 0x297F1DCC. To download the repmgr source key to your computer: curl -s http://packages.2ndquadrant.com/repmgr/SOURCE-GPG-KEY-repmgr | gpg --import gpg --fingerprint 0x297F1DCC then verify that the fingerprint is the expected value: 085A BE38 6FD9 72CE 6365 340D 8365 683D 297F 1DCC For checking tarballs, first download and import the repmgr source signing key as shown above. Then download both source tarball and the detached key (e.g. repmgr-4.0beta1.tar.gz and repmgr-4.0beta1.tar.gz.asc) from https://repmgr.org/download/ and use gpg to verify the key, e.g.: gpg --verify repmgr-4.0beta1.tar.gz.asc The signing key ID used for repmgr source code bundles is: 0x702D883A. To download the repmgr source key to your computer: curl -s http://packages.2ndquadrant.com/repmgr/RPM-GPG-KEY-repmgr | gpg --import gpg --fingerprint 0x702D883A then verify that the fingerprint is the expected value: AE4E 390E A58E 0037 6148 3F29 888D 018B 702D 883A To check a repository RPM, use rpmkeys to load the packaging signing key into the RPM database then use rpm -K, e.g.: sudo rpmkeys --import http://packages.2ndquadrant.com/repmgr/RPM-GPG-KEY-repmgr rpm -K postgresql-bdr94-2ndquadrant-redhat-1.0-2.noarch.rpm