How to Use NAI/McAfee PGP Software to Verify Digital
Network Associates, Inc. (NAI), under its McAfee retain software branch, provides both freeware
and commercial PGP software for the Windows, Macintosh, and UNIX
operating systems. These instructions were written from the Windows software, but the Mac and UNIX versions should
work similarly or identically. The following step-by-step instructions tell you exactly how to verify the digital
signatures of electronic documents published on the 990online.com site using NAI's U.S. and Canada commercial
software and freeware. The instructions for the international versions should
be similar or identical.
Commercial Software: PGP Personal Privacy
The following instructions are for PGP Personal Privacy U.S. and Canada version 5.5 for Win95. Other versions
should be very similar.
- Get Our Public Key
- Launch the "PGPkeys" program.
- Select from the menu "Keys | Search."
- Run a search for "990online.com" in the UserID, with the default keyserver search path.
- Highlight the key that is found, "right-click" on it ("click-and-hold" on a Mac), and select
"Properties" on the pop-up menu.
- Confirm that the fingerprint for that key is the following:
61A4 B7D6 EDB9 52BE FE8C 8A64 3020 FC66 A8E1 D182
- For extra security, you may wish to verify that is the same fingerprint as the one given on our Offsite Public
Key Page <http://members.home.net/mercere/990online_pgp.html>.
- Bring up the pop-up menu again, and this time select "Import to Local Keyring."
- Close the search window and go back to the main PGPkeys screen.
- You should now have an additional key listed, for "990online.com <email@example.com>."
- Download the Document and Signature
"Right-click" on the name of the document you wish to download, and select "Save Link As..."
(or "Save Target As..." or whatever your Web browser uses for saving a file). Similarly, select the key
icon next to the name
of the file to save its associated digital signature.
- Test the Signature
- Launch the "PGPtools" program.
- Select "Decrypt/Verify."
- When asked for the file to decrypt/verify, indicate the digital signature file (ends in ".sig").
- When asked for the "signed file," indicate the electronic document file (ends in ".pdf").
- The verification runs, and should in the end indicated that the "signer" is 990online.com (not "unknown
signer"), and also that the signature matches the document, indicated with a "signed document" icon
(a pencil tip) in the "Name" column and a validation date in the "Signed" column. A validation
failure is indicated either by "Bad signature" in the "Signed" column, or any other error.
Note: Once you've place our public key on your keyring, you don't need to do so again. You can perform
subsequent verifications starting from Step 2. In fact, depending how you've installed the PGP software (whether
".sig" files are associated with the PGP software), you may be able to simply select the signature's
key icon on the documents database page in your Web browser, and the PGP software will automatically launch and
ask you which signed file to verify. If you use this mechanism, be sure to first download the electronic document
so that you can indicate that as the signed file.
Free Software: PGPfreeware
Still to be written.