Appendix E: PuTTY download keys and signatures

We create GPG signatures for all the PuTTY files distributed from our web site, so that users can be confident that the files have not been tampered with. Here we identify our public keys, and explain our signature policy so you can have an accurate idea of what each signature guarantees. This description is provided as both a web page on the PuTTY site, and an appendix in the PuTTY manual.

As of release 0.58, all of the PuTTY executables contain fingerprint material (usually accessed via the -pgpfp command-line option), such that if you have an executable you trust, you can use it to establish a trust path, for instance to a newer version downloaded from the Internet.

(Note that none of the keys, signatures, etc mentioned here have anything to do with keys used with SSH - they are purely for verifying the origin of files distributed by the PuTTY team.)

• E.1 Public keys
• E.2 Security details
  • E.2.1 The Development Snapshots key
  • E.2.2 The Releases key
  • E.2.3 The Secure Contact Key
  • E.2.4 The Master Keys
• E.3 Key rollover