Searching...

UNIX / Linux: PGP TarBall File Signature Keys Verification: http://www.cyberciti.biz/faq/pgp-tar...-verification/

The GNU Privacy Handbook - Making and verifying signatures: https://www.gnupg.org/gph/en/manual/x135.html

The link to the tarball file verification explains how a tarball is verified -- by downloading the public gpg key of the author of the tarball. However, verifying the author and his/her intent is another matter.
That's why it is important to work down from a chain of trust, as is done by the Kubuntu repository and the lauchpad site. Getting approval to add packages to those sites evolves and extensive auditing and verification process. Betray that trust even once and your are through as a contributor.

Wgetting tarballs from random locations, even with a gpg key, is risky if you do not know the author of the tarball/key or he/she is not verified by someone you do know and trust. The keys in the authentication section of Muon are from trusted sources, so the packages signed by those keys are equally trusted. Beyond the Kubuntu (or Ubuntu or Debian) repository and launchpad I RARELY go off the reservation to hunt wild game. When I do it is usually to trusted sites like Oracle or PostgreSQL or Qt Project, which themselves have a verified trust chain.