Historically, PGP Corporation carried on the tradition of signing the installation files that were distributed to customers so the assurance that no modifications were made between the files being posted, and the files being downloaded to the destination have occurred. This is why when a file is downloaded and extracted, a .sig file will be included so it can then be verified, given the proper keys are in place to do so.
NOTE: Symantec Corporation continued this tradition with all Symantec Encryption products (Formerly PGP Encryption products) until Symantec Encryption products versions 10.3.2 and 3.3.2. Starting with Symantec Encryption products 10.3.2 MP1\3.3.2 MP1, Symantec provides these zip files, however upon extraction, all installation files are immediately available for use. Although the .sig files are no longer included, all files downloaded from fileconnect.symantec.com can validated against the SHA-1 hash values posted on the fileconnect site using any preferred hash validation tool.
Prior to Symantec Encryption products versions 10.3.2 MP1 and 3.3.2 MP1, once the installation files were released, they were signed by the Corporate Release Key that is available publicly. As of this writing, this same Corporate Release Key is available to validate all prior versions of the software (Versions 10.3.2\3.3.2 and previous).
This Corporate Release Key continues to be named “PGP Corporate Release Key” and can be found on the PGP Global Directory Server.
The Key ID for this PGP Corporate Release Key is 0xFA85D00F.
This PGP Corporate Release Key has been signed by various trusted sources, one of which is the PGP Global Directory Verification Key.
The Key ID for the PGP Global Directory is 0xCA57AD7C
If the PGP Global Directory key is signed and trusted by a user, the PGP Corporate Release Key, once imported into the user’s keyring, will also be trusted and can then be used to verify the downloaded installation files using the .sig file included.
Along the same tradition of signing the installation files, it is a good idea to validate the key being used to verify the signature is the proper and correct key.
Although the PGP Corporate Release Key and PGP Global Directory keys are attached to this article, these keys can be validated by finding them from another trusted source on keyserver.pgp.com and downloading directly from there.