A Post About Sig Files And What They Are

Recently, someone privately asked us what the .sig files in the downloaded zips were for. So we will be discussing this subject on this blog post today for those who are confused.
A .sig file, or signature file, is a type of file that typically contains a digital signature or a hash value used to verify the integrity sand authenticity of another file or piece of data. The signature files were generated when signing a file using GPG (GNU Privacy Guard). In this case, we signed the images and the README.txt file of the archives using Kleopatra, a software used to create, sign, and verify PGP keys. Recipients of a signed file can use GPG to verify the signature against the original file. If the signature matches, it confirms that the file has not been altered/isn't fake and that it was indeed signed by the person who claims to have signed it. Our PGP key is valid for a set time only up until 02/02/2026. That is two years from now. The reason for an expiration date is to limit the amount of sensitive information that can be decrypted with the one private key that we have. So in the event that we change PGP keys, we will let everyone know this by signing the new public key with the old key. In cases where for some reason our system gets corrupted or similar, we may not be able to retrieve our old key. So your sig files may stop working and come up as an invalid signature after this period. THIS IS NOT MEANT TO BE IMPLIED THAT THE SIGNED FILES HAVE BEEN TAMPERED WITH IN THIS CASE, JUST THAT THE SIGNATURE HAS EXPIRED. The files are still trusted, it's just that the signature has expired. All it is, in this case, is a validation of the authenticity of the files at the time when the files were first uploaded OR when our PGP key had to be changed for whatever reason. The files are left intact, actually. We may change download links when the PGP key has to be changed to reflect the new PGP key change for consistency reasons. But the audio files, images, and .txt files are fine by themselves, with or without the .sig files. The .sig files are for authenticity purposes only, but their expiration does not mean the rest of the files have gone bad, just that it expired. When the .sig files expire, you can disregard them if you want. So we apologise for any confusion this may cause.
To verify our PGP, copy the text that goes from "-----BEGIN PGP PUBLIC KEY BLOCK-----" to "-----END PGP PUBLIC KEY BLOCK-----". Note that there are exactly five lines before and after the text. Then paste the public key to import into the text field in the Notepad menu in Kleopatra, and it will validate the PGP for you. Import notepad and a pop up will show up asking you to certify the imported key. Click Yes and you should see "Certified successful" message. The imported key should show up in your keyring. To verify .sig files you have to go to File > Decrypt/Verify Files and Kleopatra should be able to tie the .sig file with the public key you just imported.
I hope this clears up any confusion. If you have any feedback about our practices, feel free to comment below!