How to verify a download file using a .sig file and public key, in Windows 10?
Solution 1:
There's a Gpg4win application, which deals with signing and verifying files. It has its Compendium, on whose 110th page we read:
Checking a signature
Now check the integrity of the file that has just been signed, i.e. check that it is correct! To check for integrity and authenticity, the signature file – hence the file with the ending .sig , .asc , .p7s or .pem – and the signed original file (original file) must be in the same file folder. Select the signature file and select the entry Decrypt and check from the Windows Explorer context menu:
Obviously you need to install it with shell extension. Option to verify a .SIG file is under the More GpgEX Options. To verify your program, I used these steps:
- downloaded jonaldkey.txt, not the other, and the Electron-Cash-2.9.4.exe.sig file
- renamed jonaldkey.txt to jonaldkey.PEM
- right-clicked the .SIG and choose Verify
- program said it cannot verify because of an unknown key, so I clicked Import button,
- I was asked to create my own key in order to verify other person's public key, so I did that, unfortunately I was asked to accept a fingerprint of that public key, which isn't available anywhere
- after that I choose the newly imported key in the verification process and it passed.
Verify checksum (not the signature)
You can also download the SHA1.Electron-Cash-2.9.4.exe.txt
file, which is a text file, rename it's extension to .sha1. I have two tools at my disposal, which verify checksums. These are: 7zip and Total Commander by Ghisler. The former adds a context menu allowing you to show various checksums of a clicked file, in this case we right-click an .exe file (not the .sig) and verify displayed sum with the downloaded SHA1 text file. The latter allows you to press Enter on the *.sha, *.md5, *.sfv etc. files and displays results as OK or FAIL.