The signature check process depends on the pgp/gnupg version you
are using.  Please refer the manual of your pgp/gnupg software
for details on usage.  There are step-by-step instructions for
some of the most popular pgp/gnupg versions below.


PGP-2.6.x (international release only):

 1) Store the RSA distribution key in file SSH2-DISTRIBUTION-KEY-RSA.asc
    into your public keyring, in case thet is not already there.
    Commandline is `pgp SSH2-DISTRIBUTION-KEY-RSA.asc'.

 2) Rename file ssh-X.Y.Z.tar.gz.sig-pgp2 to ssh-X.Y.Z.tar.gz.sig.
    X.Y.Z is the version number of the ssh release.

 3) Run command `pgp ssh-X.Y.Z.tar.gz.sig'.  If pgp can't find the
    file which the signature file applies to, it asks the filename from
    the user.  The correct answer to the question is `ssh-X.Y.Z.tar.gz'.

 4) Now pgp should give the message like:

      Good signature from user "Ssh 2 Distribution Key <[email protected]>".
      Signature made YYYY/MM/DD HH:MM GMT using 2048-bit key, key ID AFCA7459

 5) Signature is verified.


PGP-5.x:

 1) Store the DSA distribution key in file SSH2-DISTRIBUTION-KEY-DSA.asc
    into your public keyring, in case thet is not already there.
    Commandline is `pgpk -a SSH2-DISTRIBUTION-KEY-DSA.asc'.

 2) Rename file ssh-X.Y.Z.tar.gz.sig-pgp5 to ssh-X.Y.Z.tar.gz.sig.
    X.Y.Z is the version number of the ssh release.

 3) Run command `pgpv ssh-X.Y.Z.tar.gz.sig'.  If pgp can't find the
    file which the signature file applies to, it asks the filename from
    the user.  The correct answer to the question is `ssh-X.Y.Z.tar.gz'.

 4) Now pgp should give the message like:

      Good signature made YYYY-MM-DD HH:MM GMT GMT by key:
      1024 bits, Key ID 83FB127C, Created 2000-06-13
        "Ssh 2 Distribution Key <[email protected]>"

 5) Signature is verified.

 6) If you have the international verison of pgp-5.x you can check also
    the RSA key.  Then you should add also the RSA keyfile to your public
    keyring,  and in phase 2, rename file ssh-X.Y.Z.tar.gz.sig-pgp2 to
    ssh-X.Y.Z.tar.gz.sig instead of ssh-X.Y.Z.tar.gz.sig-pgp5.  With
    this signature, succesful verification message should look like:

      Good signature made YYYY-MM-DD HH:MM GMT GMT by key:
      2048 bits, Key ID AFCA7459, Created 1998-07-11
       "Ssh 2 Distribution Key <[email protected]>"


GnuPG-1.0.x:

 1) Store the DSA distribution key in file SSH2-DISTRIBUTION-KEY-DSA.asc
    into your public keyring, in case thet is not already there.
    Commandline is `gpg --import SSH2-DISTRIBUTION-KEY-DSA.asc'.

 2) Rename file ssh-X.Y.Z.tar.gz.sig-gpg to ssh-X.Y.Z.tar.gz.sig.
    X.Y.Z is the version number of the ssh release.

 3) Run command `gpg --verify ssh-X.Y.Z.tar.gz.sig'.  If gpg can't find
    the file which the signature file applies to, it asks the filename
    from the user.  The correct answer to the question is
    `ssh-X.Y.Z.tar.gz'.

 4) Now gpg should give the message like:

      Signature made Day DD Mon YYYY HH:YY:SS PM GMT using DSA key ID 83FB127C
      Good signature from "Ssh 2 Distribution Key <[email protected]>"

 5) Signature is verified.

 6) With gpg, also other types of signatures can be verified.  For RSA
    signature checking, the RSA plugin (international version) is needed.
    Consult the manual of your software for details.


PGP-6.5.x:

 1) Store the DSA distribution key into your keyring.

 2) Rename file ssh-X.Y.Z.tar.gz.sig-pgp5 to ssh-X.Y.Z.tar.gz.sig.
    X.Y.Z is the version number of the ssh release.

 3) Run command `pgp ssh-X.Y.Z.tar.gz.sig'.  If pgp can't find the
    file which the signature file applies to, it asks the filename from
    the user.  The correct answer to the question is `ssh-X.Y.Z.tar.gz'.

 4) Now pgp should give the message like:

      Good signature from user "Ssh 2 Distribution Key <[email protected]>".
      Signature made YYYY/MM/DD HH:MM GMT

 5) Signature is verified.

 6) The international version of pgp-6.5.x is can check also the RSA
    signature.  Consult your manual for details.  Signature generated
    for gpg can't be checked with pgp-6.5.x.  An attempt to do so, will
    most likely produce a message like:

      Bad signature from user "Ssh 2 Distribution Key <[email protected]>".

    So it's not even worth trying.


Information About The Distribution Keys

 Following keys are used in signature generation:

   RSA 2048/AFCA7459 1998-07-11 Ssh 2 Distribution Key <[email protected]>
                                Ssh 2 Distribution Key <[email protected]>
       Fingerprint: 2A 06 2C 83 F0 A6 72 52  3A 4D 4A FA 20 15 EE 74

   DSA 1024/83FB127C 2000-06-13 Ssh 2 Distribution Key <[email protected]>
                                Ssh 2 Distribution Key <[email protected]>
       Fingerprint: A348 205D F1D8 2297 0A46  D961 ED7B 28CD 83FB 127C