[*] You can use either of the above signature files to verify that
the corresponding file (without the .sig suffix) is intact. First,
be sure to download both the .sig file and the corresponding tarball.
Then, run a command like this:
gpg --verify m4-1.4.15.tar.gz.sig
If that command fails because you don't have the required public key,
then run this command to import it: