Verifying integrity of release files

Beginning in 2013, packaged file releases of Password Gorilla will additionally be protected by a GPG (Gnu Privacy Guard: http://www.gnupg.org/) signature. This signature can be utilized to verify that the contents you have downloaded from a repository have not been modified from that which were released.

In order to fully verify that no changes have been made to a downloaded file, you will first need to import the Password Gorilla GPG key below into your GPG keyring. Directions for how to do this are given for the GPG command line below. Note that there are numerous graphical interfaces for GPG, too many to give specifics for any one. Please consult the documentation for your particular favorite to learn how to import a GPG key.

How to verify

Once you have imported the Password Gorilla key, verification is a simple process. First, download a Password Gorilla file distribution as well as the associated .sig file, e.g.:

PasswordGorilla-version.x.y.z.exe
PasswordGorilla-version.x.y.z.exe.sig

Then use GPG to verify the integrity of the downloaded file (note, the .sig file must be listed first on the command line):

$ gpg --verify PasswordGorilla-version.x.y.z.exe.sig PasswordGorilla-version.x.y.z.exe 
gpg: Signature made Tue 15 Jan 2013 12:05:16 PM EST using RSA key ID 39C2C8B1
gpg: Good signature from "Password Gorilla Verification Key <password-gorilla@dp100.com>"

If you have not marked the Password Gorilla key on your keyring as "trusted", you will instead get this output from GPG:

$ gpg --verify PasswordGorilla-version.x.y.z.exe.sig PasswordGorilla-version.x.y.z.exe 
gpg: Signature made Tue 15 Jan 2013 12:05:16 PM EST using RSA key ID 39C2C8B1
gpg: Good signature from "Password Gorilla Verification Key <password-gorilla@dp100.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1D6B D236 2172 C81B 0E8C  D4BF CFE4 1851 39C2 C8B1

The "WARNING" is expected, and simply means that you have not told GPG you "trust" the Password Gorilla key. How to indicate "trust" of the key to GPG is beyond the scope of this page, please refer to your GPG or GPG interface documentation for details if you wish to pursue indicating a "trust" of the Password Gorilla key.

Importing the Password Gorilla key

After copying and pasting the entire block of GPG key data below into a text file on your computer, the key can be imported into your GPG keyring by running the following command line invocation of GPG.

gpg --import pwg-saved-key-file

Replace "pwg-saved-key-file" with the name of the file into which the key below has been copied.

Password Gorilla GPG key

Below is the GPG key that is used to sign Password Gorilla release files. Copy everything below beginning with the first hyphen (-) character all the way to the final hyphen character into a text file on your computer in order to import this key into GPG:

 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v1
 
 mQINBFD0NtYBEADmCJpyeEGhmgOt4ezgaRioxzfKfhEAWsU5SsnUxOk6MxSX7BoF
 zRByVFXsBlwOwN0gcjsr5AriMxLWoFQbJ9Q9IzDKZxmPNkPwByaAbRKrbB3vepuj
 aMItsL8zceWD7T9R7ad81KS0EBOb1LDp/nWuFbqMvveSIRXyRzt7kFo/oa0wFuif
 Tsp4BVxWsfSSz7BG9qc31xYoavXSGviGWmd6lj5D5IXF5lMISY8ZlI1y+jRr6wYK
 1gw6zkxHjS32cmspX2CvFC/STfuOYS6Fq8gEzfYIrK7dCfAw2/i3qHCxvEFbP/dD
 9k6g7iHym490eKuxvlNkqfrV4OD4yo3pBaygJRvxQ9zLD+EXo0RPovHL5f3lWIBr
 LNxDSDhGV6BKIa5/WiM5CCJk9Q9KJCuJ9v4+2V6jX2YS1RqDeD7J+OmTh4inXzwP
 5Pp8/RUsn/bzOehpdt7KMSQkSux7Bf1sFfTSVZ5ole15RNXhFKbj14oUIYWlQppt
 B/BTR9+/goencouoVf3VaBehOjZeogYKyqSoykJCvixk5biLurQdzAkcXfbygjE/
 ovPiS96qVOE/esmd3s4Ulqd/m4vt28NIwymHyjFJBKgp8oCAaA500H7p0RRiIAF/
 BoikHb5VjfvGU3vd7PYtTbuinDFpn9y7tDmwAV1v6iDpxVmlk9yAx4uswwARAQAB
 tD5QYXNzd29yZCBHb3JpbGxhIFZlcmlmaWNhdGlvbiBLZXkgPHBhc3N3b3JkLWdv
 cmlsbGFAZHAxMDAuY29tPokCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwEC
 HgECF4AFAmO5iZcFCRwrVDQACgkQz+QYUTnCyLG7yQ/8De1AWcfLgSmJMMX0pc3B
 0tKbhnnunFds6m6LQuuT75VEX7h7lE18tD59N6qGWl2/rwySRxd97RTuH4aibRX5
 NWKIUEwIqDUDHb/GZbnLBpoX0FvRriIrC/lAwiFbi1XUPCmyOr+R/Qa1tQS5Xg7G
 sG9hv2G0bRlQb/VrT6CPEmR4oiS97Q/eYpnYx/bq4vY5RqImS1B3DJA+MJ/rweb0
 kFotK54dV/uEtEkj3thrauYhh+UKJ67jog5pIFbZP/bSgHn7nqcDVsub4Xhbdpgr
 Etwc6uBzqVhT32lovtIxiqIauttHi9V8NXz0IHXRvqWjcnpZyW2xz8Tv8S641hYR
 SLcIHN6emzrwnVhP6s/+LTp1Cb7SL3XZ8UOlgIk0P2Ce8VKL2k9EwACqqC4s6q2K
 G5MTHOjtvDWoB8afMnPCX90nES+Yw0VyoAn6zQpJrs8Zavt7bYDdcB7+snnGZzWY
 oqd1Yb3AvWU8PJky5L9Jatj0MVoaPYo5+QnH3A5mG3gutNw27JSvUoqBOYbDwjd1
 G75goqnyt8kbIFBd6ExbdhjzMQmtbFynq8T//+hcf4gqcu7FhfCD4WMnCbmprbAM
 /2WMeBP+z+0nQjeQWQlGXs88R+gClKLLfI/LYK3d15BOuHmJDdUmlrNR7nTUkT+9
 WGaDcUGyoL/qTgniWplSNYWJAhwEEAECAAYFAlD0O3EACgkQhyJz5//iud54ihAA
 hFpIsEPdKX+6jeHhLygjDWiGFEhjfmr0lJVBwFuFu+CWaU0dNRq3TP86HxMbtnZk
 c5o9067Lsb2XMIJUcWCr4T3lG5taGYLW34e7JyLNPR6hRpoFfUGj7cmKpBZ3d6ru
 yJZUrPVavv9DcIeOTRtd2Ggez5qoWcR/SwDxNzV6Jac2Nvt68rBbo/zzM1XnrBQO
 r1cam5P6qiKg7YTEDZ+9Pf3L9Ud+DmyYm4dVdH90bEj1IgoDcruJVTNMttANC3Mu
 khfOFEJErP4EtRwoKy8LDQyUylqWr6+GcfnYoqau+O3Yt3z4TPkJROoGfFVMzZ3q
 mbejvFhJPyTbkE+6VdjAFlNPetVR0NVorP1+MH+/9SzAxPDtDS7/qcU6UccTaAno
 z/xiftmgGkMc5sIby6hF9kERNd1xrfTlP5PsLU+joly5g6Q7nh/oPifjRiksOQTW
 GhNGAs2LtVaJ8vcoqdxw7U6kRSyOMRZhxOr+q//U+OUwbmKFKIBrGYpCSOmBcBbZ
 p0kJ4fiWozM1GYnUsvXKEznw6hVfLcZtMLmWofqC4aF/jLmoyr0BqZ3bI39BxsRz
 ClCyXVTGSj/Zxw7IVo3WYmZVIQJANgTiLp7lSfDvJ9eL4DoYStLbuKZ6mh9qhid1
 UAfD1nl2+JO6jW4AukB4hAM4uUOxE6XL4uxlNl6qR1GIXgQQEQgABgUCUPRI/QAK
 CRCK5UJAqCdp81+7AP9bcC635l/03IuBDqSfQEgwGec8DeSUKEHfjREhtTGOwwD/
 UY+JSIZCNLr5sOy4qDUEzuHHxviAUaHuAZ4A9jgt+T+5Ag0EUPQ21gEQALrIwmT+
 aeZs+KLjhgYlqctcmsifYVTPfYgpY5LVd1KJcOqqzT7sE9JzLyBOUc/+vbwRN7Ix
 CmQvhm9oc+Vqb7mrJSwr1BbOBcepschp51Mu2trN9yMXpeXfrAzBnLTEqngD6tRe
 Cji8MUOilvX48IXx+A5Do2T8lk2hbJWtvlDNdSM9ZnbeHe3d1Lmvmat3AUUP9q5y
 jP0QIbWNhl/fVNNTu4D6qlMT2V8g08MHt2LziKPhNENAAROilhE6YgvM76fWaVrD
 Q1ux2mcJR0FqcW06mkB7r1djW7HnRuPonzb+6t1NNvV3AGxh3KFG4VZj9v6V+8Ze
 vdOCetIp2sv5TSaCcne0r4h1LaM/FsyW7MPaP5U7heWZjb7RkD76eoQMMxvTZruz
 q59KORNqLIaBiHLdzIedqmcOBPWmbCEabIHpqS731HQqw7Giy7tlKAPk1WQxtzUe
 TOsSy8Cf7QYDJYtYs2MOJ2MRwaRpX6cCMqKHn/ws8tIt53Eq5ed/oOUiY5ws6JeK
 bSjkxBq9ewGgu1in95b64j6YXJZQtDmKcuwYClQyhPu4nlFXx++Me8Azx0zgLnHJ
 y1hRS4/uytqRwvV+wFpvNGTF8hVwtm1Uhcyyuz/ILAyrrszMJa4eLfHj0e7OMo8f
 QwfMMRRe1E/EwDEF1X7GXm+PrVggF739tybJABEBAAGJAiUEGAECAA8CGwwFAmO5
 ifMFCRwrVJgACgkQz+QYUTnCyLHyCQ//Q7Cb0egJquMBEbpecrQ5YI+zRaNcAstl
 OXjqTnv6G4Qywcnlg0g+g+Vy96ygglYDKh6vLckaQpWxzaukxydpT4Ur05UhFSoH
 fGVfhhO3Qu/MRQxT0PO0KQH25aYMUjc5NDWfdSa4bg+Bh0+E3Ka8hNloBStBTKFg
 GpMTHiVOCDaM2c+WPsWUpfR2iYRnYvmkOr68c+wuxkRcLBjjorxiH3nkNEmeoXNJ
 xWFCIcekpewXEA8sqJN1RLlnFDookttTZ+pwbRnVfWxUDuv6HicWNqvs1Rg1TE92
 sxrnRwuHHK654ljpY1sYAXo/qAOKYgwRhHFnvpIsA75kwV77wrkvyo6ng80Jjluh
 BD4pncCCujv0SP8m/DfVRgCx0LbyEsMo0eDrq73PQtEKoVs2MuOdY8bj9WlEM9DW
 PJ12ggumRpmHuMT9q+cex4syWrphn20YhyU9nn640fQYVe8IyubHmOJY1IsyqXZV
 wOuG54y7uJmRuev+dArlZyax2cLgB+PXdI2Wttmf8y0ziAzgDLdpYDMnBAlihZJl
 7oDTf3wSkHAwjMDtTmIMWhep7u9vEMNaZNJhLR66dOc5v1VvOgaW6XNYHqTZ36yb
 s7bTyQxMvaQSpmOL7kar5m/B1X8lwY4+j0bvfvxt06aLgE1GDxJg9b+64fgGszSh
 SQ4WRa4kqe4=
 =iHNe
 -----END PGP PUBLIC KEY BLOCK-----