As you can see on our GitHub release page, as part of our release process we create a .asc file corresponding to each downloadable package. Files .asc are ASCII file containing a plain text digital signature of the corresponding package file.
How to verify the signature
- Download and install GnuPG for your operating system
- Download the package and the corresponding
.ascand put them in the same directory - Run the command
gpg -vv --verify package_name.asc, you will get something like:gpg --keyserver keyserver.ubuntu.com -vv --verify pdfsam-4.0.1-linux.zip.asc gpg: armor: BEGIN PGP SIGNATURE # off=0 ctb=89 tag=2 hlen=3 plen=563 :signature packet: algo 1, keyid BF019D784ED7F785 version 4, created 1546970066, md5len 0, sigclass 0x00 digest algo 10, begin of digest 8d 2f hashed subpkt 33 len 21 (issuer fpr v4 3E2455BB66A07C8E5547BB2ABF019D784ED7F785) hashed subpkt 2 len 4 (sig created 2019-01-08) subpkt 16 len 8 (issuer key ID BF019D784ED7F785) data: [4095 bits] gpg: assuming signed data in 'pdfsam-4.0.1-linux.zip' gpg: Signature made mar 08 gen 2019 18:54:26 CET gpg: con RSA chiave 3E2455BB66A07C8E5547BB2ABF019D784ED7F785 - You can then verify the keyid against a public keyserver with the command
gpg --search-keys BF019D784ED7F785and you should get:gpg --keyserver keyserver.ubuntu.com --search-keys BF019D784ED7F785 gpg: data source: https://192.146.137.98:443 (1) Sober Lemur S.a.s.