how to verify downloaded file

John Clizbe
Mon Jul 21 21:29:02 2003

Hash: SHA1 wrote:

> I've downloaded and installed gnupg for the sole purpose of verifying
> the integrity of a downloaded file.  My OS is Windows2000.

>   C:\My Download Files>gpg --verify stunnel-4.04.exe
>   gpg: no valid OpenPGP data found.
>   gpg: the signature could not be verified.
>   Please remember that the signature file (.sig or .asc)
>   should be the first file given on the command line.
> Then I tried following the advice given in the error message:
>   C:\My Download Files>gpg --verify pgp_asc.htm stunnel-4.04.exe
>   gpg: verify signatures failed: unexpected data
> What must I do to verify the downloaded file?

You need to download the detached signature that accompanies the file.
Usually it is named something like stunnel-4.04.exe.sig, but some apps
dislike multiple extensions so it may be stunnel-4.04.sig ( or .asc). Then
THAT is the file you feed to gpg; ie

     gpg -- verify stunnel-4.04.exe.sig stunnel-4.04.exe

or just simply

     gpg -- verify stunnel-4.04.exe.sig

- --
John P. Clizbe                   Inet:   JPClizbe (a) comcast DOT nyet
Golden Bear Networks             PGP/GPG KeyID: 0x608D2A10
  "Most men take the straight and narrow. A few take the road less
traveled.  I chose to cut through the woods."
  "There is safety in Numbers... *VERY LARGE PRIME* Numbers
9:00PM Tonight on _REAL_IRONY_:  Vegetarian Man Eaten by Cannibals
Version: GnuPG v1.2.2-nr1 (Windows 2000)
Comment: Using GnuPG with Mozilla -