Public accountability made widely accessible

How to Use NAI/McAfee PGP Software to Verify Digital Signatures

Network Associates, Inc. (NAI), under its McAfee retain software branch, provides both freeware and commercial PGP software for the Windows, Macintosh, and UNIX operating systems. These instructions were written from the Windows software, but the Mac and UNIX versions should work similarly or identically. The following step-by-step instructions tell you exactly how to verify the digital signatures of electronic documents published on the 990online.com site using NAI's U.S. and Canada commercial software and freeware. The instructions for the international versions should be similar or identical.

Commercial Software: PGP Personal Privacy

The following instructions are for PGP Personal Privacy U.S. and Canada version 5.5 for Win95. Other versions should be very similar.

  1. Get Our Public Key
    1. Launch the "PGPkeys" program.
    2. Select from the menu "Keys | Search."
    3. Run a search for "990online.com" in the UserID, with the default keyserver search path.
    4. Highlight the key that is found, "right-click" on it ("click-and-hold" on a Mac), and select "Properties" on the pop-up menu.
    5. Confirm that the fingerprint for that key is the following:

      61A4 B7D6 EDB9 52BE FE8C 8A64 3020 FC66 A8E1 D182

    6. For extra security, you may wish to verify that is the same fingerprint as the one given on our Offsite Public Key Page <http://members.home.net/mercere/990online_pgp.html>.
    7. Bring up the pop-up menu again, and this time select "Import to Local Keyring."
    8. Close the search window and go back to the main PGPkeys screen.
    9. You should now have an additional key listed, for "990online.com <info@990online.com>."
  2. Download the Document and Signature
    "Right-click" on the name of the document you wish to download, and select "Save Link As..." (or "Save Target As..." or whatever your Web browser uses for saving a file). Similarly, select the key icon next key icon to the name of the file to save its associated digital signature.
  3. Test the Signature
    1. Launch the "PGPtools" program.
    2. Select "Decrypt/Verify."
    3. When asked for the file to decrypt/verify, indicate the digital signature file (ends in ".sig").
    4. When asked for the "signed file," indicate the electronic document file (ends in ".pdf").
    5. The verification runs, and should in the end indicated that the "signer" is 990online.com (not "unknown signer"), and also that the signature matches the document, indicated with a "signed document" icon (a pencil tip) in the "Name" column and a validation date in the "Signed" column. A validation failure is indicated either by "Bad signature" in the "Signed" column, or any other error.

      Note: Once you've place our public key on your keyring, you don't need to do so again. You can perform subsequent verifications starting from Step 2. In fact, depending how you've installed the PGP software (whether ".sig" files are associated with the PGP software), you may be able to simply select the signature's key icon on the documents database page in your Web browser, and the PGP software will automatically launch and ask you which signed file to verify. If you use this mechanism, be sure to first download the electronic document so that you can indicate that as the signed file.

Free Software: PGPfreeware

Still to be written.

Go to main 990online.com page

This page last modified 12May99