This is the old ROX web-site. Please use the new website instead.
GPG is the GNU Privacy Guard.
In an effort to reduce the chance of someone breaking into SourceForge (as has happened before) and quietly changing the code (which hasn't), all software source releases have GPG signatures.
To check a file, you need to get my public key (below) and the GPG signature for the file you downloaded. Assuming the key hasn't been tampered with too, GPG can check that the downloaded file is identical to the one I signed.
You only need to download the public key once, so an attacker changing the key won't be able to fool everyone. You can also check the key's fingerprint against the one in my mailing list or usenet postings. If you spot anything suspicious, let us know quickly!
Important: a correct GPG signature tells you that you have a faithful copy of the software I released. It doesn't mean the software is actually bug free, or that I'm making any guarantees about it. All it says is noone intercepted it between me and you.
There are two easy ways to install software which check the GPG signatures for you: Add App and Zero Install, so try using one of them. Zero Install checks that the key is the same when upgrading, while Add App asks you to confirm the key's fingerprint the first time you run some software signed using it.
Once GPG is installed, you need to import my key. Save the key block below (eg, by using copy-and-paste) as key.gpg and import it, by typing this command (in bold) in a terminal window:
$ gpg --import key.gpg gpg: key 59A53CC1: public key "Thomas Leonard <tal197@users.sourceforge.net>" imported gpg: Total number processed: 1 gpg: imported: 1
You only have to import the key once. You can now check that any download hasn't been tampered with by downloading both the archive and the (small) .sig file that comes with it. Check it like this:
$ gpg archive-1.9.2.tgz.sig gpg: Signature made Fri 20 Jun 2003 11:36:18 BST using DSA key ID 59A53CC1 gpg: Good signature from "Thomas Leonard <tal197@users.sourceforge.net>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9242 9807 C985 3C07 44A6 8B9A AE07 8280 59A5 3CC1
This tells you that the archive you downloaded is the same as the one signed by the owner of the key you imported.
If everyone does this, it will go a long way to preventing security problems.
For more paranoid users, the next step is to check that the key hasn't been tampered with. Find one of Thomas Leonard's postings to usenet or the Mailing Lists, and look for the GPG fingerprint at the end. Compare that with the fingerprint that was displayed during the signature check. Once you're sure the key is genuine, you can sign it with your own secret key so you don't get the warning each time.
See the 
GPG website for more instructions on using GPG.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.7 (GNU/Linux) mQGiBD1JRcERBADIOjwNaBjmv44a3DPJeVwqrdVO6nuYF16UwKXTAh3ZZNAYecD8 a7opNf4yt3TofSKfT2bEiv/hIdAy3LGjKQg54Dou1EqhB8o90RNl5NeWmHIb82Jp bCSbAXfaEaz6MEIg0MTHBcvtAOHZbKoBuBO5b6nbokmvcyWZXJHQ9zs9dwCg4FSX cdVBExg+2iBzEzpGyK4EFrsEAKTxf2YoLGihB1HDknvlAWIfa5dBZI9c7pdbpmkW 6nZZ+SEHC9j1VSWFbB1fpA217BPaF6bmKmLoZEdmYLItriy2GEeEnbAcqd9QvQTr RnXzBlOanC4OHqT0dvBLMH60TsWN2ZQQ3hPInI+CAdgquDzqoZY699moo+NXZZky bB12A/9aI83jzl8gX7j61hkdk97rL/tcrdp8nGe2mS7y6tLodh89kp0IAD3Cn9pu bQpEVMSIAO6ocMIMa6IhiSW+axKcW44JaOXtxFhLi9RDnGhds9LKPSB+Qoyfpxkk zcAjNFcR2tDMOaDD5+/cZHSfKhT6TuWiiAzhhZEw3ikBnhCQYLQtVGhvbWFzIExl b25hcmQgPHRhbDE5N0B1c2Vycy5zb3VyY2Vmb3JnZS5uZXQ+iFkEExECABkFAj1J RcEECwcDAgMVAgMDFgIBAh4BAheAAAoJEK4HgoBZpTzBvdUAoMYjTfjeiOLyBF+V 6tm/8Da/VIS2AKDXlYeko8yY/DMZDy9uLrmlrOLYmrkBDQQ9SUXGEAQA40HXju3P alvuv73gX0PcNC1lVTE3X15DTdvQLCCCt0H62A73i22c80CfGj3LaVybOHPjuM2/ phu69zf5S3wHFJXYzezkVO7Yf/0MRyQslviy/+pWdbBJnVaE+qF3wggvcHIddatd roJ7q1haFl+cmIf43+EqoDZWVtKejSyeuGsAAwUEAOIrD9sPoing4huSDDgNJ9bo DbG3YkT9GROZ2FMdz12pwjUvSSxa8Yh4zJQ1EkKprSCD7QZMu9FMudzuwHZweJN1 OhG+amFSsHmYl4Cbql9401lZvpvWoBhi54eKGMaxDNIGyojWJD8FTiC2eUrMwu3G rXu8m0nbaNiXL88Kv6EHiEYEGBECAAYFAj1JRcYACgkQrgeCgFmlPMHF8ACfehcT YkxNRG4ozQP5gwBO8CDdGVAAn0P7xyghEym4gcy7/rvwkY7JIar5 =wks3 -----END PGP PUBLIC KEY BLOCK-----