You're right in that the .sig file is like a hash, in that it can be used to verify the integrity of the binary zip file. In addition, the sig file can assure you that the hash was generated by the signer - in this case, me.
To verify the signature, you need to get PGP (http://www.pgp.com/downloads/index.html - last time I checked, free for personal use) or it's GNU equivalent, gpg (http://www.gnupg.org/ - no usage restrictions). Once you've installed one of those, you'll need my public key, available from http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xFA175557
Rony
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
In the downloads list, along with pwsafe-2.06-bin.zip, I see pwsafe-2.06-bin.zip.sig, which I suppose is likely a hash used to verify the zip file.
How would I use the sig file to verify the zip file?
Thanks.
Frank
Hi,
You're right in that the .sig file is like a hash, in that it can be used to verify the integrity of the binary zip file. In addition, the sig file can assure you that the hash was generated by the signer - in this case, me.
To verify the signature, you need to get PGP (http://www.pgp.com/downloads/index.html - last time I checked, free for personal use) or it's GNU equivalent, gpg (http://www.gnupg.org/ - no usage restrictions). Once you've installed one of those, you'll need my public key, available from http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xFA175557
Rony
Rony, I think you should publish your fingerprint somewhere, so that we can verify the trust the public key.
Good idea. I've added the fingerprint to the link to the key on the project homepage (http://passwordsafe.sourceforge.net/).
Cheers,
i don't see the public key anymore on the site. and unfortuneately MIT's pks server is not responding.
thanks.
--todd