Before you install any package from our project, we recommend that you verify it using our PGP key. Follow these two steps if you are not used to pgp (using gpg).

You first need to import our public key:

ossec-test# wget http://www.ossec.net/files/OSSEC-GPG-KEY.asc
ossec-test# gpg --import OSSEC-GPG-KEY.asc

And then verify each file against its signature:

ossec-test# gpg --verify file.sig file

You should get the following result:

gpg: Signature made Tue 19 Jul 2011 03:13:58 PM BRT using RSA key ID A3901351
gpg: Good signature from "Daniel B. Cid "
Primary key fingerprint: 6F11 9E06 487A AF17 C84C  E48A 456B 17CF A390 1351

*Note that the key expiration date was changed lately. If you get an warning saying “gpg: Note: This key has expired!”, make sure to update the key and run the “import” command again (as specified above).