Tarball Verification

You download both a file and a detached GPG signature
Signature normally called filename.sign

Example:  ftp.kernel.org provides signatures for all kernels and patches

gpg --verify pre-patch-2.3.46-1.gz.sign pre-patch-2.3.46-1.gz
gpg: Signature made Mon Feb 14 12:48:03 2000 EST using DSA key ID 1E1A8782
gpg: Good signature from "Linux Kernel Archives Verification Key <ftpadmin@kernel.org>"