• Home
• |
• Support
• |
• FAQ
• |
• About
• |
• Donate

How to verify signatures on released files

Each executable file on the Dyanweb download page is accompanied by a file with the same name and the extension ".asc".

These are PGP signatures, so you can verify that the file you've downloaded is exactly the one that we intended you to get.

You will need to get our pgp key first. The signing key we use is 0x52A73A12. You can search 0x52A73A12 and download the key from public key server http://www.keyserver.net/. Or you can download the key from Dynamic Internet Technology, Inc.

You can use PGP or GnuPG software to verify signatures. GnuPG software can be downloaded from the GnuPG website http://www.gnupg.org.

You can also import our key directly from GnuPG as well:

    gpg --keyserver www.keyserver.net --recv-keys 0x52A73A12 

The fingerprint of the key should be:

    $ gpg --fingerprint 52A73A12
    pub   1024D/52A73A12 2006-06-05 [expires: 2016-06-02]
          Key fingerprint = 236D 32B8 EB42 9514 4132  5B2D 3BA4 46F3 52A7 3A12
    uid                  "DIT Inc." <contact@dit-inc.us>
    sub   2048g/140B40A7 2006-06-05 [expires: 2016-06-02]

If you're using GnuPG, then put the .asc and the download in the same directory and type "gpg --verify filename.asc filename" (without the quotes). It will say something like "Good signature" or "BAD signature" using the following type of command:

    $ gpg --verify  fg676p1.exe.asc  fg676p1.exe
    gpg: Signature made Mon Aug 11 01:36:42 2008 EDT using DSA key ID 52A73A12
    gpg: Good signature from ""DIT Inc." <contact@dit-inc.us>"
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 236D 32B8 EB42 9514 4132  5B2D 3BA4 46F3 52A7 3A12

Notice that there is a warning because you haven't assigned a trust index to this user. This means that your program verified the key made that signature. It's up to the user to decide if that key really belongs to DIT Inc. You can ignore the message or assign a trust level.

For your reference, this is an example of a BAD verification. It means that the signature and file contents do not match:

    $ gpg --verify  fg676p1.exe.asc  fg676p1.exe
    gpg: Signature made Mon Aug 11 01:36:42 2008 EDT using DSA key ID 52A73A12
    gpg: BAD signature from ""DIT Inc." <contact@dit-inc.us>"

If you see a message like the above one, then you should not have any trust in the file contents.

© 2002-2024 Dynamic Internet Technology, Inc. All Rights Reserved.