how to verify downloaded file

Neil Williams linux@codehelp.co.uk
Mon Jul 21 21:39:03 2003 

--Boundary-02=_8GEH/DiVf5Sn2Bt
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Monday 21 Jul 2003 7:32 pm, kynn@panix.com wrote:
> I've downloaded and installed gnupg for the sole purpose of verifying
> the integrity of a downloaded file.  My OS is Windows2000.

What you've done so far is fine, but you didn't actually download the=20
signature to use to verify the file. That's:
stunnel-4.04.exe.asc

Note the similarity to the original file name.
(Isn't google great! Google found the home page, that lead to the FTP site =
and=20
lo and behold there were the two matching files. All from just a filename.)

Download this file from the original FTP site where you obtained=20
stunnel-4.04.exe

Now use:

>   C:\My Download Files>gpg --verify stunnel-4.04.exe.asc stunnel-4.04.exe


>   C:\My Download Files>gpg --import pgp_asc.htm

That's the public key - needed to test the signature. You import the public=
=20
key but test the signature.

>   C:\My Download Files>gpg --verify pgp_asc.htm stunnel-4.04.exe
>   gpg: verify signatures failed: unexpected data

=46ailed because you tried to verify a public key instead of the signature.

Think of it as:
The file is the credit card slip.
The public key is the pen.
The signature, well it just is.

The owner of the public key signs the file and creates a separate signature=
=20
file. This is to prevent the signature interfering with the execution of th=
e=20
program itself.=20

You import the correct public key (as you've done) then download the file a=
nd=20
the associated signature file. All three are needed to verify the signature.

> What must I do to verify the downloaded file?

Download one more file - the signature file.

=2D-=20

Neil Williams
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
http://www.codehelp.co.uk
http://www.dclug.org.uk

http://slashdot.org/~codehelp


--Boundary-02=_8GEH/DiVf5Sn2Bt
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/HEG8iAEJSii8s+MRArYEAJ9PddhjlQzGFweKDytVtv4l3S826gCeLUz/
kRKXAH3Is/EkrI05SDhGgF0=
=l1Vw
-----END PGP SIGNATURE-----

--Boundary-02=_8GEH/DiVf5Sn2Bt--