== What is a signature and why should I check it? ==
When you download a file from the internet, you don't have a good way of knowing if it may have been tampered with.  It's not beyond the realm of possibility that someone could release a patched version of pidgin that transparently captured your passwords and uploaded them to some server.

This is where signatures come in - file signatures are very similar in concept to the idea behind signing both the back of your credit card, and a credit card receipt.  The signature is a verification that the file came from who it was expected to come from.

You probably have noticed that vendors frequently don't bother to compare the signature on the receipt to the signature on the back of the card, which makes it so that anyone could have been using the credit card (let's pretend that the signature on a credit card slip isn't trivially easy to forge).  Similarly, if you don't verify the signature on a file, even if the file is signed, you don't have any confidence that it came from where it was expected to come from.

Due to the nature of how signing works, an additional benefit is that if you verify the signature, you can be confident that nothing got corrupted during the download process - the file you have is exactly as it was when it was signed.

== Source Tarballs ==
The source tarballs (`pidgin-$VERSION.tar.gz` and `pidgin-$VERSION.tar.bz2`) are signed with [http://www.gnupg.org/ GPG] by one of the following people:
||'''Signer'''||'''Key Signature'''||
||Mark Doliner||`4C292FCC`||
||Ethan Blanton||`771FC72B`||
||Stu Tomlinson||`A9464AA9`|| 

The signatures for the source tarballs (`pidgin-$VERSION.tar.gz` and `pidgin-$VERSION.tar.bz2`) are provided as separate `$FILENAME.asc` downloads from the same sourceforge download directory.

You can verify a tarball by downloading both the tarball and its corresponding .asc file:
{{{
gpg --verify $FILENAME.asc
}}}
If you haven't already imported the key that was used to sign the tarballs, you'll get a message about an unknown key when you attempt to verify; you'll need to import one of the above key signatures from a public keyserver (e.g. pgp.mit.edu):
{{{
gpg --keyserver pgp.mit.edu --recv-key $KEYSIGNATURE
}}}

You can read more about how the signing and verification works in the [http://www.gnupg.org/gph/en/manual.html GPG Handbook].

=== Windows Installers ===
As of Pidgin 2.10.7, the Windows installers are signed using the [http://msdn.microsoft.com/en-us/library/ms537361(v=vs.85).aspx Microsoft Authenticode] signing mechanism by Daniel Atallah using a key with a thumbprint of `C5476901C3C63FABF54CEBA9E3F887932A9579B5`.

The signature can be verified most easily by using Windows Explorer to look at the Properties of the installer executable.
In the "Digital Signatures" tab, you can look at the Details of the signature, "View Certificate", and compare the (case-insensitive, whitespace-insensitive) "Thumbprint" value in the "Details" tab to the value listed above.[[Image(windows_cert_verify_thumbprint.jpg)]]

Alternatively, the signature can be verified using Microsoft's `signtool.exe` utility (which, unfortunately, in order to obtain, requires that you install the at least parts of Microsoft Platform SDK).
