12

To verify the download integrity of putty, how is the best way to first verify the "SHA-512: (RSA sig) | (DSA sig)" PGP signature of these check-sum files for putty? (I am guessing "sig" means signed.)

From the putty download page:

MD5:        md5sums     (or by FTP)     (RSA sig)   (DSA sig)
SHA-1:      sha1sums    (or by FTP)     (RSA sig)   (DSA sig)
SHA-256:    sha256sums  (or by FTP)     (RSA sig)   (DSA sig)
SHA-512:    sha512sums  (or by FTP)     (RSA sig)   (DSA sig)

I already know how to verify the plain text check-sum (sha512sums) using something like HashSlash, but I am interested in the RSA/DSA signed checksums (above right).

When I open the downloaded DSA sig file with a text editor, the first line is "-----BEGIN PGP SIGNED MESSAGE-----".

So I went to the PGP site and drilled down into what looked like the latest version for windows PGP 8.0. But it clicked me into the Symantec site where they sell products "Powered by PGP Technology" which doesn't look like what I am looking for.

So what is the best way to verify these check-sum PGP signatures these days?

Thanks in advance for your help.

Notes:

  • I need putty for SSH logins to my website host.
  • The other available versions of PGP seem quite old.
Elliptical view
  • 1,160
  • 12
  • 23

1 Answers1

11

The most popular tool is GnuPG, normally a command-line tool, but the Gpg4win project has a bundle of GnuPG for Windows along with two graphical interfaces.

$ gpg --verify putty.exe.DSA putty.exe
gpg: Signature made 2013-08-06T20:21:29 EEST
gpg:                using DSA key FECD6F3F08B0A90B
gpg: Good signature from "PuTTY Releases (DSA) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 00B1 1009 38E6 9800 6518  F0AB FECD 6F3F 08B0 A90B

(I had imported the signer's public key before. You will need to do that too, as well as find a way of making sure that you have the correct key and not a fake one...)

While PGP Corporation was bought by Symantec long ago, among their various PGP-based products you can still find trial versions of Symantec Desktop Email Encryption and Symantec Encryption Desktop Corporate which are a continuation of the original PGP for Windows and commercial PGP Desktop 8.x–9.x.

Trial versions of PGP Desktop 8.x can be found in various places. It is likely that 7.x will work just fine for verifying the signatures, even if it lacks security fixes and updates.

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • 1
    Can you please explain how did you import signer's public key before? I tried to use master key and release key provided here ( http://www.chiark.greenend.org.uk/~sgtatham/putty/keys.html ) by this command: gpg --import public.key but attempt was rejected because there was not any valid user id. – Luke Mar 29 '15 at 10:56
  • 1
    @dx486: The RSA keys are of a very old (and insecure) format, and modern GnuPG versions no longer accept them. You might need `--allow-non-selfsigned-uid` or even to install "gnupg1". – u1686_grawity Mar 29 '15 at 13:08