Signatures and public keys

Signature files

A signature is a file that is derived from the content of the checksum file of a release and our private encryption key. See Checksums for an explanation of checksum files.

Public keys

A public key is a file that can be used with the signature file of a release to check that the checksum file of the release came from us.

You can use the signature and the public key to check that the checksum of a release came from us, then use that checksum to check that your copy of the release is identical to ours.

If you know that the checksum came from us, and your copy of the release has the same checksum, then you know that the release came from us.

Use the following steps to 

1. Download and install the free application Cryptophane. We recommend that you use the full installer. 
2. Download the public key that was used to create the signature for the checksum that you are checking. We use the same version of the key to sign many releases, so you only need to download each version once – the version number is given in the link for each release, for example “Public key 6”.
3. Start Cryptophane.
4. From the Cryptophane menu, click File, then click Import Keys.
5. Choose the public key file that you downloaded in step 2, and then click OK.

If, in future, a release that you want to check uses a different version of the public key, repeat steps 2 through 5 above to import the key before continuing with the steps below.

Now you are ready to check that the checksum file came from us. Follow these steps:

1. Download the checksum file of the release by using the “Checksum” link on the release page.
2. Download the signature file of the release by using the “Signature” link on the release page. Save the signature file to the same location as the checksum file.
3. In Windows Explorer, locate the signature file you downloaded in step 2.
4. Double-click the signature file name. If the checksum file came from us you’ll see something like this: