[Pidgin] Are the packages signed modified

Thu Sep 20 00:40:41 EDT 2012

Page "Are the packages signed" was changed by datallah
Diff URL: <https://developer.pidgin.im/wiki/Are%20the%20packages%20signed?action=diff&version=3>
Revision 3
Comment: Add more details about who signs the tarballs and how to verify it; remove RPM references; make readonly.
Changes:
-------8<------8<------8<------8<------8<------8<------8<------8<--------
Index: Are the packages signed
=========================================================================

--- Are the packages signed (version: 2)
+++ Are the packages signed (version: 3)
@@ -1,3 +1,27 @@
-Yes, all packages are signed. The signature for the tarball and bzip2 archive are provided by separate downloads. The RPMs we provide are signed by either Ethan Blanton, Mark Doliner, or Stu Tomlinson. Usually the Mandrake RPMs are signed by, Mark Doliner, the Fedora Core RPMs are signed by Stu Tomlinson, and the Red Hat 8 and 9 RPMs are signed by Ethan Blanton. The keys can be obtained from any key server. http://pgp.mit.edu/ is popular. 
+== Source Tarballs ==
+The source tarballs (`pidgin-$VERSION.tar.gz` and `pidgin-$VERSION.tar.bz2`) are signed with [http://www.gnupg.org/ GPG] by on of the following people:
+||'''Signer'''||'''Key Signature'''||
+||Mark Doliner||`4C292FCC`||
+||Ethan Blanton||`771FC72B`||
+||Stu Tomlinson||`A9464AA9`|| 
 
-There is a less extensive answer to this question at [wiki:"Installing Pidgin#ArethepackagessignedIfsobywhomandhowcanIgetthekey"]. Either this one or the other one should be removed.
+The signatures for the source tarballs (`pidgin-$VERSION.tar.gz` and `pidgin-$VERSION.tar.bz2`) are provided as separate `$FILENAME.asc` downloads from the same sourceforge download directory.
+
+You can verify a tarball by downloading both the tarball and its corresponding .asc file:
+{{{
+gpg --verify $FILENAME.asc
+}}}
+If you haven't already imported the key that was used to sign the tarballs, you'll get a message about an unknown key when you attempt to verify; you'll need to import one of the above key signatures from a public keyserver (e.g. pgp.mit.edu):
+{{{
+gpg --keyserver pgp.mit.edu --recv-key $KEYSIGNATURE
+}}}
+
+You can read more about how the signing and verification works in the [http://www.gnupg.org/gph/en/manual.html GPG Handbook].
+
+=== Windows Installers ===
+As of Pidgin 2.10.7, the Windows installers are signed using the [http://msdn.microsoft.com/en-us/library/ms537361(v=vs.85).aspx Microsoft Authenticode] signing mechanism by Daniel Atallah using a key with a thumbprint of `C5476901C3C63FABF54CEBA9E3F887932A9579B5`.
+
+The signature can be verified most easily by using Windows Explorer to look at the Properties of the installer executable.
+In the "Digital Signatures" tab, you can look at the Details of the signature, "View Certificate", and compare the (case-insensitive, whitespace-insensitive) "Thumbprint" value in the "Details" tab to the value listed above.[[Image(windows_cert_verify_thumbprint.jpg)]]
+
+Alternatively, the signature can be verified using Microsoft's `signtool.exe` utility (which, unfortunately, in order to obtain, requires that you install the at least parts of Microsoft Platform SDK).
-------8<------8<------8<------8<------8<------8<------8<------8<--------

--
Page URL: <https://developer.pidgin.im/wiki/Are%20the%20packages%20signed>
Pidgin <http://pidgin.im>
Pidgin

This is an automated message. Someone added your email address to be
notified of changes on 'Are the packages signed' page.
If it was not you, please report to datallah at pidgin.im.
