Manually verify packages
signs most of its packages, gems, and release tarballs with GNU Privacy Guard (GPG). This signature proves that the packages originate from and have not been compromised. Security-conscious users can use GPG to verify package signatures.
If you install from the Yum and Apt repositories, the release package that enables the repository also installs our release signing key. The Yum and Apt tools automatically verify the integrity of packages as you install them.
If you install a agent using an .msi package, the installer automatically verifies the signature before installing the package.