Scribd
Upload
22 views1 page

PGP Verification for F-PROT Packages

This document discusses the use of PGP for transferring virus samples and verifying the integrity of the F-PROT package. It outlines the types of detached signatures provided and emphasizes the importance of obtaining signatures from secure sources. Additionally, it explains how to verify files using PGP and the implications of receiving a 'bad signature' message.

Uploaded by

nn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
22 views1 page

PGP Verification for F-PROT Packages

This document discusses the use of PGP for transferring virus samples and verifying the integrity of the F-PROT package. It outlines the types of detached signatures provided and emphasizes the importance of obtaining signatures from secure sources. Additionally, it explains how to verify files using PGP and the implications of receiving a 'bad signature' message.

Uploaded by

nn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 1

About PGP

We encourage the use of PGP for various purposes, including the transfer
of virus samples. This document is not intended to describe how to
install PGP or use it to encrypt files. However, PGP can also be used to
verify that the F-PROT package you receive has not been tampered with.

We use PGP to provide two types of detached signatures. One is for the
FP-xxx.ZIP package that is made available via FTP, E-mail and other means.
This signature can be obtained by doing a 'finger [email protected]'. It
is also included in the announcement we send out. Do not trust this
signature unless you obtain it from a secure source. NOTE: THIS SIGNATURE
CANNOT BE USED TO VERIFY THE INTEGRITY OF THE PACKAGE AVAILABLE AT THE
GARBO FTP SITE, AS THE FILE IS MODIFIED THERE.

The other signatures are included in the package, and are therefore less
secure, as they could be tampered with.

We include the public key of Frisk Software in NEW_VIR.DOC. This key is


signed by Fridrik Skulason and Vesselin Bontchev. The latter key is signed
by Phil Zimmermann, the author of PGP. Therefore a "web of trust" (see the
PGP documentation) can be established. Also, all those keys are available
on public key servers.

Assuming you have installed PGP and added the public key of Frisk
Software, you can verify the files by giving a command like

pgp f-prot.asc f-prot.exe

You should then see something like this:

File has signature. Public key is required to check signature.


File 'f-prot.$00' has signature, but with no text.
Text is assumed to be in file 'f-prot.exe'.

Good signature from user "Fridrik Skulason <[email protected]>".

If, instead, you get a "bad signature" message, it means that either you
are using the wrong signature, or that the file has been modified.

In some cases FTP archive sites may modify .ZIP files by adding a comment.
If that appears to be the case, you can strip the comment away by running
pkzip with the -z switch, and then use PGP to check the resulting file.

You might also like