| Version 4 (modified by , 11 years ago) (diff) |
|---|
What is a signature and why should I check it?
When you download a file from the internet, you don't have a good way of knowing if it may have been tampered with. It's not beyond the realm of possibility that someone could release a patched version of pidgin that transparently captured your passwords and uploaded them to some server.
This is where signatures come in - file signatures are very similar in concept to the idea behind signing both the back of your credit card, and a credit card receipt. The signature is a verification that the file came from who it was expected to come from.
You probably have noticed that vendors frequently don't bother to compare the signature on the receipt to the signature on the back of the card, which makes it so that anyone could have been using the credit card (let's pretend that the signature on a credit card slip isn't trivially easy to forge). Similarly, if you don't verify the signature on a file, even if the file is signed, you don't have any confidence that it came from where it was expected to come from.
Due to the nature of how signing works, an additional benefit is that if you verify the signature, you can be confident that nothing got corrupted during the download process - the file you have is exactly as it was when it was signed.
Source Tarballs
The source tarballs (pidgin-$VERSION.tar.gz and pidgin-$VERSION.tar.bz2) are signed with GPG by one of the following people:
| Signer | Key Signature |
| Mark Doliner | 4C292FCC
|
| Ethan Blanton | 771FC72B
|
| Stu Tomlinson | A9464AA9
|
The signatures for the source tarballs (pidgin-$VERSION.tar.gz and pidgin-$VERSION.tar.bz2) are provided as separate $FILENAME.asc downloads from the same sourceforge download directory.
You can verify a tarball by downloading both the tarball and its corresponding .asc file:
gpg --verify $FILENAME.asc
If you haven't already imported the key that was used to sign the tarballs, you'll get a message about an unknown key when you attempt to verify; you'll need to import one of the above key signatures from a public keyserver (e.g. pgp.mit.edu):
gpg --keyserver pgp.mit.edu --recv-key $KEYSIGNATURE
You can read more about how the signing and verification works in the GPG Handbook.
Windows Installers
As of Pidgin 2.10.7, the Windows installers are signed using the Microsoft Authenticode signing mechanism by Daniel Atallah using a key with a thumbprint of C5476901C3C63FABF54CEBA9E3F887932A9579B5.
The signature can be verified most easily by using Windows Explorer to look at the Properties of the installer executable.
In the "Digital Signatures" tab, you can look at the Details of the signature, "View Certificate", and compare the (case-insensitive, whitespace-insensitive) "Thumbprint" value in the "Details" tab to the value listed above.
Alternatively, the signature can be verified using Microsoft's signtool.exe utility (which, unfortunately, in order to obtain, requires that you install the at least parts of Microsoft Platform SDK).
Attachments (1)
-
windows_cert_verify_thumbprint.jpg (97.6 KB) - added by 11 years ago.
Image showing the steps to verify the window signing certificate's thumbprint.
Download all attachments as: .zip
