doubt

OpenPGP is a standard for creating and verifying digital signatures. The GnuPG program on Linux systems is the tool that implements the standard. (As well as compatibility with older PGP and GnuPG programs, and other assorted cryptography tools.)

The .sig file is a digital signature. The .pgp file is a key that should uniquely identify a single person. (In this case, Wietse Venema, author of the Postfix MTA.)

You can import the .pgp file into your GnuPG keyring, and then verify that Wietse really published the postfix tarball.

But PLEASE download Wietse's key from his own domain: http://www.porcupine.org/wietse/wietse.pgp

Once you've downloaded all three files, try this:

gpg --import wietse.pgp
gpg postfix-2.2.10.tar.gz.sig

(I tried this myself, and, after downloading Wietse's key from his own website, and downloading the newest versions of postfix from your mirror site...

sarnold@haig:/tmp$ gpg --import wietse.pgp
gpg: key C12BCD99: public key "Wietse Venema <email address hidden>" imported
gpg: key D5327CB9: public key "wietse venema <email address hidden>" imported
gpg: Total number processed: 2
gpg: imported: 2 (RSA: 2)
gpg: no ultimately trusted keys found
sarnold@haig:/tmp$ gpg postfix-2.7.0.tar.gz.sig
gpg: Signature made Sat 13 Feb 2010 06:12:04 PM PST using RSA key ID C12BCD99
gpg: Good signature from "Wietse Venema <email address hidden>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FF 96 4A 8C 96 88 7C 6E A4 EF AD BF 48 34 E1 BB

The details about the 'not certified' and 'no indication' is a much larger question about trusting that the key actually matches the person. So, keys are signed by other keys to say that the person controlling the signing key vouches for the ownership..

sarnold@haig:/tmp$ gpg --list-sigs C12BCD99
pub 2048R/C12BCD99 2005-02-28
uid Wietse Venema <email address hidden>
sig C12BCD99 2005-02-28 Wietse Venema <email address hidden>
sig D5327CB9 2005-02-28 wietse venema <email address hidden>

This shows that there are two keys 'owned' by wietse. (Of course, anyone can generate a key that says the same thing. But, the file from porcupine.org has both of these keys embedded...)

$ gpg --list-sigs D5327CB9
pub 1022R/D5327CB9 1992-09-25
uid wietse venema <email address hidden>
sig D5327CB9 1998-02-05 wietse venema <email address hidden>
uid wietse venema <email address hidden>
sig 7E0AB281 1995-09-28 [User ID not found]
sig 5D0D4079 1996-01-30 [User ID not found]
...

If your GnuPG is correctly configured, you can use gpg --recv-key 7E0AB281 5D0D4079 to download all those other keys from keyservers... and check _those_ keys. In this fashion, you can build a 'web of trust', that hopefully you can navigate from someone you trust to the person you need to trust.

If you're really interested in learning more:
http://en.wikipedia.org/wiki/OpenPGP
http://en.wikipedia.org/wiki/Web_of_trust

Most people would be content that the file they downloaded this year matches the key they downloaded last year. (Same as ssh host keys.) But, the 'web of trust' that GnuPG supports can help you verify that someone is who they say they are on the first contact, assuming that someone you trust knows someone they trust to tell if someone else would be good at determining if someone else really is who they say they are. (Yes, it gets complicated, but with key signing parties at conferences, it isn't unusual for some keys to have hundreds of signatures.)

http://people.debian.org/~weasel/weboftrust/debian/20100202/output/centrality-sorted.html

If you find Weasel's key page from this list, you'll see that he's 2.0xxx distance from the 'mean' of the largest connected group. That means just about anyone who has attended a keysigning event somewhere is going to have a very short chain of trust to get to Weasel.

Perhaps I've strayed a bit from your original questions -- but GnuPG is one of my nerd-hobbies, and I think there is a lot of fascinating pieces going on behind the scenes of making sure our software is secure. :)