This article is from the PGP FAQ, by Jeff Licquia firstname.lastname@example.org with numerous contributions by others.
If you do not presently own any copy of PGP, use great care on where
you obtain your first copy. What I would suggest is that you get two
or more copies from different sources that you feel that you can
trust. Compare the copies to see if they are absolutely identical.
This won't eliminate the possibility of having a bad copy, but it will
greatly reduce the chances.
If you already own a trusted version of PGP, it is easy to check the
validity of any future version. Newer binary versions of MIT PGP are
distributed in popular archive formats; the archive file you receive
will contain only another archive file, a file with the same name as
the archive file with the extension .ASC, and a "setup.doc" file. The
.ASC file is a stand-alone signature file for the inner archive file
that was created by the developer in charge of that particular PGP
distribution. Since nobody except the developer has access to his/her
secret key, nobody can tamper with the archive file without it being
detected. Of course, the inner archive file contains the newer PGP
A quick note: If you upgrade to MIT PGP from an older copy (2.3a or
before), you may have problems verifying the signature. See question
3.14, below, for a more detailed treatment of this problem.
To check the signature, you must use your old version of PGP to check
the archive file containing the new version. If your old version of
PGP is in a directory called C:\PGP and your new archive file and
signature is in C:\NEW (and you have retrieved MIT PGP 2.6.2), you may
execute the following command:
C:\PGP\PGP C:\NEW\PGP262I.ASC C:\NEW\PGP262I.ZIP
If you retrieve the source distribution of MIT PGP, you will find two
more files in your distribution: an archive file for the RSAREF
library and a signature file for RSAREF. You can verify the RSAREF
library in the same way as you verify the main PGP source archive.
Non-MIT versions typically include a signature file for the PGP.EXE
program file only. This file will usually be called PGPSIG.ASC. You
can check the integrity of the program itself this way by running your
older version of PGP on the new version's signature file and program
Phil Zimmermann himself signed all versions of PGP up to 2.3a. Since
then, the primary developers for each of the different versions of PGP
have signed their distributions. As of this writing, the developers
whose signatures appear on the distributions are:
MIT PGP 2.6.2 Jeff Schiller <email@example.com> ViaCrypt PGP 2.7.1 ViaCrypt PGP 2.6.2i Stale Schumacher <firstname.lastname@example.org> PGP 2.6ui mathew <email@example.com>