I find there is a lot of assumed knowledge when it comes to source file archives, particularly on Open Source projects, which I think makes them less accessible to the masses. Anyway here are my notes on how you can check signatures an unpack files on a Mac. I'll use QEMU an open source virtual host as an example.
- Download - QEMU and the signature file. I created a folder on my Desktop called QEMU and put them in there.
- Check the signature: Full details here and here but basically install GPG4win, then run the following in Terminal:change to the relevant directory: cd /Users/[your username]/Desktop/QEMU
verify the file: gpg --verify qemu-1.1.1-1.tar.bz2.sigNB: My Mac had renamed the file to .sig.bz2. I think on downloading it recognised it was a bz2 but didn't have a bz2 extension so appended one. However it didn't show that in Finder so you might want to do an ls command on the Terminal command line first to check then rename if necessary:mv qemu-1.1.1-1.tar.bz2.sig.bz2 qemu-1.1.1-1.tar.bz2.sig
- Extract it: The in-built 'Archiver' didn't work for me: instead of unpacking it packed the file back up into a zip. (UPDATE: It does work on Mountain Lion 10.8). I used The Unarchiver instead.