To verify the download integrity of putty, how is the best way to first verify the "SHA-512: (RSA sig) | (DSA sig)" PGP signature of these check-sum files for putty? (I am guessing "sig" means signed.)
From the putty download page:
MD5: md5sums (or by FTP) (RSA sig) (DSA sig)
SHA-1: sha1sums (or by FTP) (RSA sig) (DSA sig)
SHA-256: sha256sums (or by FTP) (RSA sig) (DSA sig)
SHA-512: sha512sums (or by FTP) (RSA sig) (DSA sig)
I already know how to verify the plain text check-sum (sha512sums) using something like HashSlash, but I am interested in the RSA/DSA signed checksums (above right).
When I open the downloaded DSA sig file with a text editor, the first line is "—–BEGIN PGP SIGNED MESSAGE—–".
So I went to the PGP site and drilled down into what looked like the latest version for windows PGP 8.0. But it clicked me into the Symantec site where they sell products "Powered by PGP Technology" which doesn't look like what I am looking for.
So what is the best way to verify these check-sum PGP signatures these days?
Thanks in advance for your help.
Notes:
- I need putty for SSH logins to my website host.
- The other available versions of PGP seem quite old.
Best Answer
The most popular tool is GnuPG, normally a command-line tool, but the Gpg4win project has a bundle of GnuPG for Windows along with two graphical interfaces.
(I had imported the signer's public key before. You will need to do that too, as well as find a way of making sure that you have the correct key and not a fake one...)
While PGP Corporation was bought by Symantec long ago, among their various PGP-based products you can still find trial versions of Symantec Desktop Email Encryption and Symantec Encryption Desktop Corporate which are a continuation of the original PGP for Windows and commercial PGP Desktop 8.x–9.x.
Trial versions of PGP Desktop 8.x can be found in various places. It is likely that 7.x will work just fine for verifying the signatures, even if it lacks security fixes and updates.