As you can see on our GitHub release page, as part of our release process we create a .asc file corresponding to each downloadable package. Files .asc are ASCII file containing a plain text digital signature of the corresponding package file.

How to verify the signature

  • Download and install GnuPG for your operating system
  • Download the package and the corresponding .asc and put them in the same directory
  • Run the command gpg -vv --verify package_name.asc, you will get something like: 

    gpg --keyserver keyserver.ubuntu.com -vv --verify pdfsam-4.0.1-linux.zip.asc
gpg: armor: BEGIN PGP SIGNATURE
# off=0 ctb=89 tag=2 hlen=3 plen=563
:signature packet: algo 1, keyid A3FC4B4C79E8FD49
	version 4, created 1676989287, md5len 0, sigclass 0x00
	digest algo 10, begin of digest ad 24
	hashed subpkt 33 len 21 (issuer fpr v4 9F2499EF7ABB9050D7401BCAA3FC4B4C79E8FD49)
	hashed subpkt 2 len 4 (sig created 2023-02-21)
	subpkt 16 len 8 (issuer key ID A3FC4B4C79E8FD49)
	data: [4094 bits]
gpg: assuming signed data in 'pdfsam-4.0.1-linux.zip'
gpg: Signature made mar 21 feb 2023, 15:21:27 CET
gpg:                con RSA chiave 9F2499EF7ABB9050D7401BCAA3FC4B4C79E8FD49

  • You can then verify the keyid against a public keyserver with the command gpg --keyserver keyserver.ubuntu.com --search-keys A3FC4B4C79E8FD49 and you should get: 

    gpg --keyserver keyserver.ubuntu.com --search-keys A3FC4B4C79E8FD49
gpg: data source: https://192.146.137.98:443
(1)    Sober Lemur S.r.l. 
	  4096 bit RSA key A3FC4B4C79E8FD49, created: 2023-02-21

Edit 21st of Feb 2023: a new key is used to sign the artifacts since 21st February 2023 to reflect the new company name. The old key id was BF019D784ED7F785

One Reply to “How to verify that the downloaded package has not been compromised”

Leave a Reply

Your email address will not be published. Required fields are marked *