GPG keys and instructions

GPG is the GNU Privacy Guard.

In an effort to reduce the chance of someone breaking into SourceForge (as has happened before) and quietly changing the code (which hasn't), all software source releases have GPG signatures.

To check a file, you need to get my public key (below) and the GPG signature for the file you downloaded. Assuming the key hasn't been tampered with too, GPG can check that the downloaded file is identical to the one I signed.

You only need to download the public key once, so an attacker changing the key won't be able to fool everyone (because most people will already have the good key, and they can warn the others).

You can also check the key's fingerprint against the one in my mailing list or usenet postings.
If you spot anything suspicious, let us know quickly!

Important: a correct GPG signature tells you that you have a faithful copy of the software I released. It doesn't mean the software is actually bug free, or that I'm making any guarantees about it. All it says is noone intercepted it between me and you.

There is an easy way to install software which checks the GPG signatures for you: AddApp. AddApp asks you to confirm the key's fingerprint the first time you run some software signed using it.

For more paranoid users, the next step is to check that the key hasn't been tampered with. Find one of Thomas Leonard's postings to usenet or the Mailing Lists, and look for the GPG fingerprint at the end. Compare that with the fingerprint that was displayed during the signature check.

See the GPG website for more instructions on using GPG.

Thomas Leonard's GPG key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.7 (GNU/Linux)

mQGiBD1JRcERBADIOjwNaBjmv44a3DPJeVwqrdVO6nuYF16UwKXTAh3ZZNAYecD8
a7opNf4yt3TofSKfT2bEiv/hIdAy3LGjKQg54Dou1EqhB8o90RNl5NeWmHIb82Jp
bCSbAXfaEaz6MEIg0MTHBcvtAOHZbKoBuBO5b6nbokmvcyWZXJHQ9zs9dwCg4FSX
cdVBExg+2iBzEzpGyK4EFrsEAKTxf2YoLGihB1HDknvlAWIfa5dBZI9c7pdbpmkW
6nZZ+SEHC9j1VSWFbB1fpA217BPaF6bmKmLoZEdmYLItriy2GEeEnbAcqd9QvQTr
RnXzBlOanC4OHqT0dvBLMH60TsWN2ZQQ3hPInI+CAdgquDzqoZY699moo+NXZZky
bB12A/9aI83jzl8gX7j61hkdk97rL/tcrdp8nGe2mS7y6tLodh89kp0IAD3Cn9pu
bQpEVMSIAO6ocMIMa6IhiSW+axKcW44JaOXtxFhLi9RDnGhds9LKPSB+Qoyfpxkk
zcAjNFcR2tDMOaDD5+/cZHSfKhT6TuWiiAzhhZEw3ikBnhCQYLQtVGhvbWFzIExl
b25hcmQgPHRhbDE5N0B1c2Vycy5zb3VyY2Vmb3JnZS5uZXQ+iFkEExECABkFAj1J
RcEECwcDAgMVAgMDFgIBAh4BAheAAAoJEK4HgoBZpTzBvdUAoMYjTfjeiOLyBF+V
6tm/8Da/VIS2AKDXlYeko8yY/DMZDy9uLrmlrOLYmrkBDQQ9SUXGEAQA40HXju3P
alvuv73gX0PcNC1lVTE3X15DTdvQLCCCt0H62A73i22c80CfGj3LaVybOHPjuM2/
phu69zf5S3wHFJXYzezkVO7Yf/0MRyQslviy/+pWdbBJnVaE+qF3wggvcHIddatd
roJ7q1haFl+cmIf43+EqoDZWVtKejSyeuGsAAwUEAOIrD9sPoing4huSDDgNJ9bo
DbG3YkT9GROZ2FMdz12pwjUvSSxa8Yh4zJQ1EkKprSCD7QZMu9FMudzuwHZweJN1
OhG+amFSsHmYl4Cbql9401lZvpvWoBhi54eKGMaxDNIGyojWJD8FTiC2eUrMwu3G
rXu8m0nbaNiXL88Kv6EHiEYEGBECAAYFAj1JRcYACgkQrgeCgFmlPMHF8ACfehcT
YkxNRG4ozQP5gwBO8CDdGVAAn0P7xyghEym4gcy7/rvwkY7JIar5
=wks3
-----END PGP PUBLIC KEY BLOCK-----