Verifying integrity of release files

rich123 edited this page Sep 13, 2018 · 3 revisions

Beginning in 2013, packaged file releases of Password Gorilla will additionally be protected by a GPG (Gnu Privacy Guard: http://www.gnupg.org/) signature. This signature can be utilized to verify that the contents you have downloaded from a repository have not been modified from that which were released.

In order to fully verify that no changes have been made to a downloaded file, you will first need to import the Password Gorilla GPG key below into your GPG keyring. Directions for how to do this are given for the GPG command line below. Note that there are numerous graphical interfaces for GPG, too many to give specifics for any one. Please consult the documentation for your particular favorite to learn how to import a GPG key.

How to verify

Once you have imported the Password Gorilla key, verification is a simple process. First, download a Password Gorilla file distribution as well as the associated .sig file, e.g.:

PasswordGorilla-version.x.y.z.exe
PasswordGorilla-version.x.y.z.exe.sig

Then use GPG to verify the integrity of the downloaded file (note, the .sig file must be listed first on the command line):

$ gpg --verify PasswordGorilla-version.x.y.z.exe.sig PasswordGorilla-version.x.y.z.exe 
gpg: Signature made Tue 15 Jan 2013 12:05:16 PM EST using RSA key ID 39C2C8B1
gpg: Good signature from "Password Gorilla Verification Key <password-gorilla@dp100.com>"

If you have not marked the Password Gorilla key on your keyring as "trusted", you will instead get this output from GPG:

$ gpg --verify PasswordGorilla-version.x.y.z.exe.sig PasswordGorilla-version.x.y.z.exe 
gpg: Signature made Tue 15 Jan 2013 12:05:16 PM EST using RSA key ID 39C2C8B1
gpg: Good signature from "Password Gorilla Verification Key <password-gorilla@dp100.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1D6B D236 2172 C81B 0E8C  D4BF CFE4 1851 39C2 C8B1

The "WARNING" is expected, and simply means that you have not told GPG you "trust" the Password Gorilla key. How to indicate "trust" of the key to GPG is beyond the scope of this page, please refer to your GPG or GPG interface documentation for details if you wish to pursue indicating a "trust" of the Password Gorilla key.

Importing the Password Gorilla key

After copying and pasting the entire block of GPG key data below into a text file on your computer, the key can be imported into your GPG keyring by running the following command line invocation of GPG.

gpg --import pwg-saved-key-file

Replace "pwg-saved-key-file" with the name of the file into which the key below has been copied.

Password Gorilla GPG key

Below is the GPG key that is used to sign Password Gorilla release files. Copy everything below beginning with the first hyphen (-) character all the way to the final hyphen character into a text file on your computer in order to import this key into GPG:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQINBFD0NtYBEADmCJpyeEGhmgOt4ezgaRioxzfKfhEAWsU5SsnUxOk6MxSX7BoF
zRByVFXsBlwOwN0gcjsr5AriMxLWoFQbJ9Q9IzDKZxmPNkPwByaAbRKrbB3vepuj
aMItsL8zceWD7T9R7ad81KS0EBOb1LDp/nWuFbqMvveSIRXyRzt7kFo/oa0wFuif
Tsp4BVxWsfSSz7BG9qc31xYoavXSGviGWmd6lj5D5IXF5lMISY8ZlI1y+jRr6wYK
1gw6zkxHjS32cmspX2CvFC/STfuOYS6Fq8gEzfYIrK7dCfAw2/i3qHCxvEFbP/dD
9k6g7iHym490eKuxvlNkqfrV4OD4yo3pBaygJRvxQ9zLD+EXo0RPovHL5f3lWIBr
LNxDSDhGV6BKIa5/WiM5CCJk9Q9KJCuJ9v4+2V6jX2YS1RqDeD7J+OmTh4inXzwP
5Pp8/RUsn/bzOehpdt7KMSQkSux7Bf1sFfTSVZ5ole15RNXhFKbj14oUIYWlQppt
B/BTR9+/goencouoVf3VaBehOjZeogYKyqSoykJCvixk5biLurQdzAkcXfbygjE/
ovPiS96qVOE/esmd3s4Ulqd/m4vt28NIwymHyjFJBKgp8oCAaA500H7p0RRiIAF/
BoikHb5VjfvGU3vd7PYtTbuinDFpn9y7tDmwAV1v6iDpxVmlk9yAx4uswwARAQAB
tD5QYXNzd29yZCBHb3JpbGxhIFZlcmlmaWNhdGlvbiBLZXkgPHBhc3N3b3JkLWdv
cmlsbGFAZHAxMDAuY29tPokCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwEC
HgECF4AFAlpWioEFCRLIVR4ACgkQz+QYUTnCyLHXVw/8D06vV3dagtp6J4Ba8oXR
vZTFajMKevy93MlGXppndf3z9iFFwcLCLW+CVL2/IlzC3onmKINi5PZZzWPFmZLy
Yb0nj73L8TmkhUf4U9aKwhgv72pJ5w9LIjaKUElAzPuS4UD/YaQ5MAwN6k3w7spY
HYoSXRo7oM5kGesRcvosedYAN5/pIJeKBt//WHnlWluUhwLGSehvBBff1Fa1po4m
dzY9p7ZMYzMkynZURfoUEWMI4v+BJkjNMv7GvE9Ax4o0Y2I+mNA4ZTLM8BimWaHb
/3ChHmYB62ixj557Cv23rsZzR/w3rG04iODRBU8jZ3sD07qn3LyJ9aNNvFfTzR06
ohBs7pKBbaoVx9pvXnozWEdzeRf84RzgAjzzwlyxFYkMQiutqweeJE26i9BYzuH7
aR7GHhelVePca0yB4I276iLNWWQu39+aYnOyWbaSYUYxEvhI/kk2lWlmeXYTRXtY
jDtM+JJuoUKTskIWqoBD4F06I8P4oPhaI1wpnFfLShq6CtVR4hnmPX8gmcAOleI+
Rj8Aozkgq3jx3I93iSAxdw3OzajYJnUHgrHLCBLRvXTkKY0eGIsNxVvoFuHva6PE
cGDr1WZIXdBJ7Z71ZHNvr1a3nyUeTJUsPT05TLLdpgomUn+ALbLjwo0DiqTJhk3W
FobJeedLA/GzHWGY97B1RDmJAhwEEAECAAYFAlD0O3EACgkQhyJz5//iud54ihAA
hFpIsEPdKX+6jeHhLygjDWiGFEhjfmr0lJVBwFuFu+CWaU0dNRq3TP86HxMbtnZk
c5o9067Lsb2XMIJUcWCr4T3lG5taGYLW34e7JyLNPR6hRpoFfUGj7cmKpBZ3d6ru
yJZUrPVavv9DcIeOTRtd2Ggez5qoWcR/SwDxNzV6Jac2Nvt68rBbo/zzM1XnrBQO
r1cam5P6qiKg7YTEDZ+9Pf3L9Ud+DmyYm4dVdH90bEj1IgoDcruJVTNMttANC3Mu
khfOFEJErP4EtRwoKy8LDQyUylqWr6+GcfnYoqau+O3Yt3z4TPkJROoGfFVMzZ3q
mbejvFhJPyTbkE+6VdjAFlNPetVR0NVorP1+MH+/9SzAxPDtDS7/qcU6UccTaAno
z/xiftmgGkMc5sIby6hF9kERNd1xrfTlP5PsLU+joly5g6Q7nh/oPifjRiksOQTW
GhNGAs2LtVaJ8vcoqdxw7U6kRSyOMRZhxOr+q//U+OUwbmKFKIBrGYpCSOmBcBbZ
p0kJ4fiWozM1GYnUsvXKEznw6hVfLcZtMLmWofqC4aF/jLmoyr0BqZ3bI39BxsRz
ClCyXVTGSj/Zxw7IVo3WYmZVIQJANgTiLp7lSfDvJ9eL4DoYStLbuKZ6mh9qhid1
UAfD1nl2+JO6jW4AukB4hAM4uUOxE6XL4uxlNl6qR1GIXgQQEQgABgUCUPRI/QAK
CRCK5UJAqCdp81+7AP9bcC635l/03IuBDqSfQEgwGec8DeSUKEHfjREhtTGOwwD/
UY+JSIZCNLr5sOy4qDUEzuHHxviAUaHuAZ4A9jgt+T+5Ag0EUPQ21gEQALrIwmT+
aeZs+KLjhgYlqctcmsifYVTPfYgpY5LVd1KJcOqqzT7sE9JzLyBOUc/+vbwRN7Ix
CmQvhm9oc+Vqb7mrJSwr1BbOBcepschp51Mu2trN9yMXpeXfrAzBnLTEqngD6tRe
Cji8MUOilvX48IXx+A5Do2T8lk2hbJWtvlDNdSM9ZnbeHe3d1Lmvmat3AUUP9q5y
jP0QIbWNhl/fVNNTu4D6qlMT2V8g08MHt2LziKPhNENAAROilhE6YgvM76fWaVrD
Q1ux2mcJR0FqcW06mkB7r1djW7HnRuPonzb+6t1NNvV3AGxh3KFG4VZj9v6V+8Ze
vdOCetIp2sv5TSaCcne0r4h1LaM/FsyW7MPaP5U7heWZjb7RkD76eoQMMxvTZruz
q59KORNqLIaBiHLdzIedqmcOBPWmbCEabIHpqS731HQqw7Giy7tlKAPk1WQxtzUe
TOsSy8Cf7QYDJYtYs2MOJ2MRwaRpX6cCMqKHn/ws8tIt53Eq5ed/oOUiY5ws6JeK
bSjkxBq9ewGgu1in95b64j6YXJZQtDmKcuwYClQyhPu4nlFXx++Me8Azx0zgLnHJ
y1hRS4/uytqRwvV+wFpvNGTF8hVwtm1Uhcyyuz/ILAyrrszMJa4eLfHj0e7OMo8f
QwfMMRRe1E/EwDEF1X7GXm+PrVggF739tybJABEBAAGJAiUEGAECAA8CGwwFAlpW
ip4FCRLIVUMACgkQz+QYUTnCyLFbVRAAnXH2m+LJ//EDZpxLICHbZszjV04sY95W
AYj1OsbV8FaTqpnHFmNYE3ffWeuC9AVuMcIG5hqzjNQUSW1+o3Mu7Yi2q8scfYIr
fqoIq1VDQGM3B8ct98XpUWQ4ZY9yUe5q7oI7eHFOTpG3H3XEo9/ibpynC8vM6Q8u
F0NiwdH/2Y1Sdhsp37T2hWve/Gw/9Rb+X19t8j7MJ4cyXfa+1i2QVyGV2v1b4qxh
4PHaIRGb/VCJTWa4GolOEDNpzXzDKcBuSamSyoR4ajNR9Aldtz5qr/DbUXsLstF2
D80D0rT+rd2FEuoDfUiEO/yh8W7qet4KmlUngBE1gPoEpxCLMEwuDHep7B2DK0G2
OMZUO2cKn+tG0g94AY6CRfPT815DBGDQuDM1akC0mDiIZ2ryJJQ0CEcBiIfGdBAY
RtHqdoSwHuA6g4wYhlLZBZ5f2jrwn5MQW00wuhxerXCTwQIGtnwbjZDWGEHQoLpT
vQ2egG6tF2idfIcY5sfL4RlcXe8xgJ3ipl7p6ToWzMYmJpS8J48YusZZu/Wblyfg
ZJ2F/gcq31/xoaD66myf6oabgyszh5k6kUrf5xyAyJpql/iBrgFNSGxMgSdVgHuU
duYL7GUKIiKakcAXWffLhGb2sw0bCbMqmJ3ekmlBwG8Es0k6XUGcBSx5DqXPLRUD
I0baZXDLkFM=
=OkWK
-----END PGP PUBLIC KEY BLOCK-----
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.