## translation metadata
# Revision: $Revision$
# Translation-Priority: 2-medium
#include "head.wmi" TITLE="Verifying Signatures" CHARSET="UTF-8"
<div class="main-column">
<h2>How to verify signatures for packages</h2>
<hr />
<p>Each file on <a href="<page download>">our download page</a> is accompanied
by a file with the same name as the package and the extension
".asc". For example, the current Installation Bundle for Windows:
<package-win32-bundle-stable-sig>.</p>
<p>These .asc files are PGP signatures. They allow you to verify the file you've downloaded
is exactly the one that we intended you to get.</p>
<p>Of course, you'll need to have our pgp keys in your keyring: if you don't
know the pgp key, you can't be sure that it was really us who signed it. The
signing keys we use are:</p>
<ul>
<li>Roger's (0x28988BF5) typically signs the source code file.</li>
<li>Nick's (0x165733EA, or its subkey 0x8D29319A)</li>
<li>Andrew's (0x31B0974B)</li>
<li>Peter's (0x94C09C7F, or its subkey 0xAFA44BDD)</li>
<li>Matt's (0x5FA14861)</li>
<li>Jacob's (0x9D0FACE4)</li>
</ul>
<h3>Step One: Import the keys</h3>
<hr />
<p>You can import keys directly from GnuPG as well:</p>
<pre>gpg --keyserver subkeys.pgp.net --recv-keys 0x28988BF5</pre>
<p>or search for keys with</p>
<pre>gpg --keyserver subkeys.pgp.net --search-keys 0x28988BF5</pre>
<p>and when you select one, it will be added to your keyring.</p>
<h3>Step Two: Verify the fingerprints</h3>
<hr />
<p>Verify the pgp fingerprints using:</p>
<pre>gpg --fingerprint (insert keyid here)</pre>
The fingerprints for the keys should be:
<pre>
pub 1024D/28988BF5 2000-02-27