As you can see on our GitHub release page, as part of our release process we create a .asc
file corresponding to each downloadable package. Files .asc
are ASCII file containing a plain text digital signature of the corresponding package file.
How to verify the signature
- Download and install GnuPG for your operating system
- Download the package and the corresponding
.asc
and put them in the same directory - Run the command
gpg -vv --verify package_name.asc
, you will get something like:gpg --keyserver keyserver.ubuntu.com -vv --verify pdfsam-4.0.1-linux.zip.asc gpg: armor: BEGIN PGP SIGNATURE # off=0 ctb=89 tag=2 hlen=3 plen=563 :signature packet: algo 1, keyid A3FC4B4C79E8FD49 version 4, created 1676989287, md5len 0, sigclass 0x00 digest algo 10, begin of digest ad 24 hashed subpkt 33 len 21 (issuer fpr v4 9F2499EF7ABB9050D7401BCAA3FC4B4C79E8FD49) hashed subpkt 2 len 4 (sig created 2023-02-21) subpkt 16 len 8 (issuer key ID A3FC4B4C79E8FD49) data: [4094 bits] gpg: assuming signed data in 'pdfsam-4.0.1-linux.zip' gpg: Signature made mar 21 feb 2023, 15:21:27 CET gpg: con RSA chiave 9F2499EF7ABB9050D7401BCAA3FC4B4C79E8FD49
- You can then verify the keyid against a public keyserver with the command
gpg --keyserver keyserver.ubuntu.com --search-keys A3FC4B4C79E8FD49
and you should get:gpg --keyserver keyserver.ubuntu.com --search-keys A3FC4B4C79E8FD49 gpg: data source: https://192.146.137.98:443 (1) Sober Lemur S.r.l.
4096 bit RSA key A3FC4B4C79E8FD49, created: 2023-02-21
Edit 21st of Feb 2023: a new key is used to sign the artifacts since 21st February 2023 to reflect the new company name. The old key id was BF019D784ED7F785
How do I validate the .asc file on Windows, using GPG?