If you wish, you may verify the tarball package signatures with GnuPG, in case you want to be sure that you are getting unmodified files directly from the upstream. To do that, use the following commands:
Retrieve Matti Hämäläinen's public key from a keyserver: gpg --keyserver wwwkeys.pgp.net --recv-keys 0x307BAAE3
Verify the package signature (assuming you have downloaded both the file and signature): gpg --verify ggrtf-0.7.4.2.tar.gz.asc If the data is untampered, you should get a result like 'gpg: Good signature from "Matti Hamalainen (ccr) <ccr@tnsp.org>"'
Please refer to GnuPG or PGP documentation for more information about their usage. A great introduction to PKI, cryptography and public key signing, the GNU Privacy Handbook is available from GnuPG project. (Versions in other languages and formats, including PDF, are available from http://www.gnupg.org/documentation/guides.en.html.)