== Source Tarballs ==
The source tarballs (`pidgin-$VERSION.tar.gz` and `pidgin-$VERSION.tar.bz2`) are signed with [http://www.gnupg.org/ GPG] by on of the following people:
||'''Signer'''||'''Key Signature'''||
||Mark Doliner||`4C292FCC`||
||Ethan Blanton||`771FC72B`||
||Stu Tomlinson||`A9464AA9`|| 

The signatures for the source tarballs (`pidgin-$VERSION.tar.gz` and `pidgin-$VERSION.tar.bz2`) are provided as separate `$FILENAME.asc` downloads from the same sourceforge download directory.

You can verify a tarball by downloading both the tarball and its corresponding .asc file:
{{{
gpg --verify $FILENAME.asc
}}}
If you haven't already imported the key that was used to sign the tarballs, you'll get a message about an unknown key when you attempt to verify; you'll need to import one of the above key signatures from a public keyserver (e.g. pgp.mit.edu):
{{{
gpg --keyserver pgp.mit.edu --recv-key $KEYSIGNATURE
}}}

You can read more about how the signing and verification works in the [http://www.gnupg.org/gph/en/manual.html GPG Handbook].

=== Windows Installers ===
As of Pidgin 2.10.7, the Windows installers are signed using the [http://msdn.microsoft.com/en-us/library/ms537361(v=vs.85).aspx Microsoft Authenticode] signing mechanism by Daniel Atallah using a key with a thumbprint of `C5476901C3C63FABF54CEBA9E3F887932A9579B5`.

The signature can be verified most easily by using Windows Explorer to look at the Properties of the installer executable.
In the "Digital Signatures" tab, you can look at the Details of the signature, "View Certificate", and compare the (case-insensitive, whitespace-insensitive) "Thumbprint" value in the "Details" tab to the value listed above.[[Image(windows_cert_verify_thumbprint.jpg)]]

Alternatively, the signature can be verified using Microsoft's `signtool.exe` utility (which, unfortunately, in order to obtain, requires that you install the at least parts of Microsoft Platform SDK).
