how to verify downloaded file

Neil Williams
Mon Jul 21 21:39:03 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Monday 21 Jul 2003 7:32 pm, wrote:
> I've downloaded and installed gnupg for the sole purpose of verifying
> the integrity of a downloaded file.  My OS is Windows2000.

What you've done so far is fine, but you didn't actually download the=20
signature to use to verify the file. That's:

Note the similarity to the original file name.
(Isn't google great! Google found the home page, that lead to the FTP site =
lo and behold there were the two matching files. All from just a filename.)

Download this file from the original FTP site where you obtained=20

Now use:

>   C:\My Download Files>gpg --verify stunnel-4.04.exe.asc stunnel-4.04.exe

>   C:\My Download Files>gpg --import pgp_asc.htm

That's the public key - needed to test the signature. You import the public=
key but test the signature.

>   C:\My Download Files>gpg --verify pgp_asc.htm stunnel-4.04.exe
>   gpg: verify signatures failed: unexpected data

=46ailed because you tried to verify a public key instead of the signature.

Think of it as:
The file is the credit card slip.
The public key is the pen.
The signature, well it just is.

The owner of the public key signs the file and creates a separate signature=
file. This is to prevent the signature interfering with the execution of th=
program itself.=20

You import the correct public key (as you've done) then download the file a=
the associated signature file. All three are needed to verify the signature.

> What must I do to verify the downloaded file?

Download one more file - the signature file.


Neil Williams

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)