how to verify downloaded file
Mon Jul 21 21:39:03 2003
Content-Description: signed data
On Monday 21 Jul 2003 7:32 pm, firstname.lastname@example.org wrote:
> I've downloaded and installed gnupg for the sole purpose of verifying
> the integrity of a downloaded file. My OS is Windows2000.
What you've done so far is fine, but you didn't actually download the=20
signature to use to verify the file. That's:
Note the similarity to the original file name.
(Isn't google great! Google found the home page, that lead to the FTP site =
lo and behold there were the two matching files. All from just a filename.)
Download this file from the original FTP site where you obtained=20
> C:\My Download Files>gpg --verify stunnel-4.04.exe.asc stunnel-4.04.exe
> C:\My Download Files>gpg --import pgp_asc.htm
That's the public key - needed to test the signature. You import the public=
key but test the signature.
> C:\My Download Files>gpg --verify pgp_asc.htm stunnel-4.04.exe
> gpg: verify signatures failed: unexpected data
=46ailed because you tried to verify a public key instead of the signature.
Think of it as:
The file is the credit card slip.
The public key is the pen.
The signature, well it just is.
The owner of the public key signs the file and creates a separate signature=
file. This is to prevent the signature interfering with the execution of th=
You import the correct public key (as you've done) then download the file a=
the associated signature file. All three are needed to verify the signature.
> What must I do to verify the downloaded file?
Download one more file - the signature file.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----