Verifying integrity of release files

zdia edited this page Jan 15, 2013 · 2 revisions

Beginning in 2013, packaged file releases of Password Gorilla will additionally be protected by a GPG (Gnu Privacy Guard: http://www.gnupg.org/) signature. This signature can be utilized to verify that the contents you have downloaded from a repository have not been modified from that which were released.

In order to fully verify that no changes have been made to a downloaded file, you will first need to import the Password Gorilla GPG key below into your GPG keyring. Directions for how to do this are given for the GPG command line below. Note that there are numerous graphical interfaces for GPG, too many to give specifics for any one. Please consult the documentation for your particular favorite to learn how to import a GPG key.

How to verify

Once you have imported the Password Gorilla key, verification is a simple process. First, download a Password Gorilla file distribution as well as the associated .sig file, e.g.:

PasswordGorilla-version.x.y.z.exe
PasswordGorilla-version.x.y.z.exe.sig

Then use GPG to verify the integrity of the downloaded file (note, the .sig file must be listed first on the command line):

$ gpg --verify PasswordGorilla-version.x.y.z.exe.sig PasswordGorilla-version.x.y.z.exe 
gpg: Signature made Tue 15 Jan 2013 12:05:16 PM EST using RSA key ID 39C2C8B1
gpg: Good signature from "Password Gorilla Verification Key <password-gorilla@dp100.com>"

If you have not marked the Password Gorilla key on your keyring as "trusted", you will instead get this output from GPG:

$ gpg --verify PasswordGorilla-version.x.y.z.exe.sig PasswordGorilla-version.x.y.z.exe 
gpg: Signature made Tue 15 Jan 2013 12:05:16 PM EST using RSA key ID 39C2C8B1
gpg: Good signature from "Password Gorilla Verification Key <password-gorilla@dp100.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1D6B D236 2172 C81B 0E8C  D4BF CFE4 1851 39C2 C8B1

The "WARNING" is expected, and simply means that you have not told GPG you "trust" the Password Gorilla key. How to indicate "trust" of the key to GPG is beyond the scope of this page, please refer to your GPG or GPG interface documentation for details if you wish to pursue indicating a "trust" of the Password Gorilla key.

Importing the Password Gorilla key

After copying and pasting the entire block of GPG key data below into a text file on your computer, the key can be imported into your GPG keyring by running the following command line invocation of GPG.

gpg --import pwg-saved-key-file

Replace "pwg-saved-key-file" with the name of the file into which the key below has been copied.

Password Gorilla GPG key

Below is the GPG key that is used to sign Password Gorilla release files. Copy everything below beginning with the first hyphen (-) character all the way to the final hyphen character into a text file on your computer in order to import this key into GPG:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQINBFD0NtYBEADmCJpyeEGhmgOt4ezgaRioxzfKfhEAWsU5SsnUxOk6MxSX7BoF
zRByVFXsBlwOwN0gcjsr5AriMxLWoFQbJ9Q9IzDKZxmPNkPwByaAbRKrbB3vepuj
aMItsL8zceWD7T9R7ad81KS0EBOb1LDp/nWuFbqMvveSIRXyRzt7kFo/oa0wFuif
Tsp4BVxWsfSSz7BG9qc31xYoavXSGviGWmd6lj5D5IXF5lMISY8ZlI1y+jRr6wYK
1gw6zkxHjS32cmspX2CvFC/STfuOYS6Fq8gEzfYIrK7dCfAw2/i3qHCxvEFbP/dD
9k6g7iHym490eKuxvlNkqfrV4OD4yo3pBaygJRvxQ9zLD+EXo0RPovHL5f3lWIBr
LNxDSDhGV6BKIa5/WiM5CCJk9Q9KJCuJ9v4+2V6jX2YS1RqDeD7J+OmTh4inXzwP
5Pp8/RUsn/bzOehpdt7KMSQkSux7Bf1sFfTSVZ5ole15RNXhFKbj14oUIYWlQppt
B/BTR9+/goencouoVf3VaBehOjZeogYKyqSoykJCvixk5biLurQdzAkcXfbygjE/
ovPiS96qVOE/esmd3s4Ulqd/m4vt28NIwymHyjFJBKgp8oCAaA500H7p0RRiIAF/
BoikHb5VjfvGU3vd7PYtTbuinDFpn9y7tDmwAV1v6iDpxVmlk9yAx4uswwARAQAB
tD5QYXNzd29yZCBHb3JpbGxhIFZlcmlmaWNhdGlvbiBLZXkgPHBhc3N3b3JkLWdv
cmlsbGFAZHAxMDAuY29tPokCPgQTAQIAKAUCUPQ5mQIbAwUJCWYBgAYLCQgHAwIG
FQgCCQoLBBYCAwECHgECF4AACgkQz+QYUTnCyLG1ZhAAuU/pcji0DqhDPPqUpvQA
ozNnrO6aKuTeI4QgHIN7Pxd/YYBuFyqVIKkJrsEFEsnMzWdG2TakQsyTIcklmdM+
2omyOms2Yz1iwLdnB1XQKC6h11VnvOEzlsbrQOWnvMzWzXnuhN8dA7Y6JvVGcwIk
4EbMoFHIgx+R0VZcYi3s4o4MUxX2qNBItCgdlADTec1YEWCLWKjvotC+NTyyZPYR
2+Pe4+f1sUG/fLH8wAq8glaPSRuRmByX9mpIIEs/kKDs7iW8vabSsk26cSx5vhFT
Qvtx3oT755UmyIIJwUglYS5ZMxUkpuIiV/EV5t5Mp62pk/y+gcqGVjVLiSSSLoQW
DPKsTLZy2RB53QJeIhz2LAyOzhAKwmcJ+lTTBQ24F5zGJ7Pnu9gZkz9TPOO48Dpp
/1dAT8eXD7atP/kJHyDWPUsXJPUDAwtSDdYjeS/2tLamKTxu6Uy/TMQGHHaPfUbK
UcSMstwmQrVsA8JB3h2JSCI30Upmsv7OQJI1Qu3fIK97z2u+w6rJSrtpeMhFt6qP
xEcG3w3ffjLlWLiNDdzRU+1wPSyrAc2IvkDLGHhfUXTahvsNRpJhBLJafgdNN3BT
YNnYPZoFDtR8aknsg2Nqh8mXHmojrAEwiLRlK32WKUlVgwPnDNCBN/DoJXPDGcjj
6pyoKGuX0pcUKvl0CZtaXfeJAhwEEAECAAYFAlD0O3EACgkQhyJz5//iud54ihAA
hFpIsEPdKX+6jeHhLygjDWiGFEhjfmr0lJVBwFuFu+CWaU0dNRq3TP86HxMbtnZk
c5o9067Lsb2XMIJUcWCr4T3lG5taGYLW34e7JyLNPR6hRpoFfUGj7cmKpBZ3d6ru
yJZUrPVavv9DcIeOTRtd2Ggez5qoWcR/SwDxNzV6Jac2Nvt68rBbo/zzM1XnrBQO
r1cam5P6qiKg7YTEDZ+9Pf3L9Ud+DmyYm4dVdH90bEj1IgoDcruJVTNMttANC3Mu
khfOFEJErP4EtRwoKy8LDQyUylqWr6+GcfnYoqau+O3Yt3z4TPkJROoGfFVMzZ3q
mbejvFhJPyTbkE+6VdjAFlNPetVR0NVorP1+MH+/9SzAxPDtDS7/qcU6UccTaAno
z/xiftmgGkMc5sIby6hF9kERNd1xrfTlP5PsLU+joly5g6Q7nh/oPifjRiksOQTW
GhNGAs2LtVaJ8vcoqdxw7U6kRSyOMRZhxOr+q//U+OUwbmKFKIBrGYpCSOmBcBbZ
p0kJ4fiWozM1GYnUsvXKEznw6hVfLcZtMLmWofqC4aF/jLmoyr0BqZ3bI39BxsRz
ClCyXVTGSj/Zxw7IVo3WYmZVIQJANgTiLp7lSfDvJ9eL4DoYStLbuKZ6mh9qhid1
UAfD1nl2+JO6jW4AukB4hAM4uUOxE6XL4uxlNl6qR1GIXgQQEQgABgUCUPRI/QAK
CRCK5UJAqCdp81+7AP9bcC635l/03IuBDqSfQEgwGec8DeSUKEHfjREhtTGOwwD/
UY+JSIZCNLr5sOy4qDUEzuHHxviAUaHuAZ4A9jgt+T+5Ag0EUPQ21gEQALrIwmT+
aeZs+KLjhgYlqctcmsifYVTPfYgpY5LVd1KJcOqqzT7sE9JzLyBOUc/+vbwRN7Ix
CmQvhm9oc+Vqb7mrJSwr1BbOBcepschp51Mu2trN9yMXpeXfrAzBnLTEqngD6tRe
Cji8MUOilvX48IXx+A5Do2T8lk2hbJWtvlDNdSM9ZnbeHe3d1Lmvmat3AUUP9q5y
jP0QIbWNhl/fVNNTu4D6qlMT2V8g08MHt2LziKPhNENAAROilhE6YgvM76fWaVrD
Q1ux2mcJR0FqcW06mkB7r1djW7HnRuPonzb+6t1NNvV3AGxh3KFG4VZj9v6V+8Ze
vdOCetIp2sv5TSaCcne0r4h1LaM/FsyW7MPaP5U7heWZjb7RkD76eoQMMxvTZruz
q59KORNqLIaBiHLdzIedqmcOBPWmbCEabIHpqS731HQqw7Giy7tlKAPk1WQxtzUe
TOsSy8Cf7QYDJYtYs2MOJ2MRwaRpX6cCMqKHn/ws8tIt53Eq5ed/oOUiY5ws6JeK
bSjkxBq9ewGgu1in95b64j6YXJZQtDmKcuwYClQyhPu4nlFXx++Me8Azx0zgLnHJ
y1hRS4/uytqRwvV+wFpvNGTF8hVwtm1Uhcyyuz/ILAyrrszMJa4eLfHj0e7OMo8f
QwfMMRRe1E/EwDEF1X7GXm+PrVggF739tybJABEBAAGJAiUEGAECAA8FAlD0NtYC
GwwFCQlmAYAACgkQz+QYUTnCyLHVPxAA3a1DnK3UOawSllRVDJnwOukWNM9bxYIh
9trknBRKc/j5KY8NoVfVJqyKla5Eu+HmTxXTswRUsn9NPRcFEVYUNV6FjHXwSNQV
Ow7nCfpaUqa0P/Rmey8bwhOpHoBmiEDU5kEeVJkRtyqwai7grolHwlBcBYE+HATP
t1RdNGbLdxdGB77J3XWJ6JSCP6rQ9VN0hG+SmN6c6+XOEPgpioHqHae5fOyE9K7y
14vMAqSL6utwr8b0HWjHXv//JVHfkkg+hQ+nYCwqygUFsn+re15GeY/flqjrxd15
DFP+XuZ9im1Rw8/7kYiyRTpf4LmnyhCvEh76+TdZH4FMkxFDNUH3teZ5SFbMQm7R
72LKY8Fi5pISzTUArRN/f61OTjJs+prZQwJMfBXDaQT7MLIu2kIg3FZGip7Odvkd
080NMRst+ivT3J5Kv5tnXGtgxIkX1sccKmUkgXJLTseVAPvcju8bbgQOQ+Ycrp7g
kpYvI+bqciY9UHHy3hpaY3jjBCJdVAEeSQ+TDMVFkd7b4AWcvvWZ7eoH01ZAL1NX
BAQU3erOOoNgaRIcJkm3bPIO52eD7mRWYhqMuW9s8PSJL0g1A+4U3eobIdmm3BYo
M29J4O2o8iz/xXRxAm99UL7lp62xRC4OfO1HBAzXGA4x4reZQTk2jl5QDE12HUcd
lG0vRWk64Ys=
=5Usj
-----END PGP PUBLIC KEY BLOCK-----