As you can see on our GitHub release page, as part of our release process we create a .asc file corresponding to each downloadable package. Files .asc are ASCII file containing a plain text digital signature of the corresponding package file.

How to verify the signature

  • Download and install GnuPG for your operating system
  • Download the package and the corresponding .asc and put them in the same directory
  • Run the command gpg -vv --verify package_name.asc, you will get something like:

    gpg --keyserver -vv --verify
    gpg: armor: BEGIN PGP SIGNATURE
    # off=0 ctb=89 tag=2 hlen=3 plen=563
    :signature packet: algo 1, keyid A3FC4B4C79E8FD49
    	version 4, created 1676989287, md5len 0, sigclass 0x00
    	digest algo 10, begin of digest ad 24
    	hashed subpkt 33 len 21 (issuer fpr v4 9F2499EF7ABB9050D7401BCAA3FC4B4C79E8FD49)
    	hashed subpkt 2 len 4 (sig created 2023-02-21)
    	subpkt 16 len 8 (issuer key ID A3FC4B4C79E8FD49)
    	data: [4094 bits]
    gpg: assuming signed data in ''
    gpg: Signature made mar 21 feb 2023, 15:21:27 CET
    gpg:                con RSA chiave 9F2499EF7ABB9050D7401BCAA3FC4B4C79E8FD49

  • You can then verify the keyid against a public keyserver with the command gpg --keyserver --search-keys A3FC4B4C79E8FD49 and you should get:

    gpg --keyserver --search-keys A3FC4B4C79E8FD49
    gpg: data source:
    (1)    Sober Lemur S.r.l. 
    	  4096 bit RSA key A3FC4B4C79E8FD49, created: 2023-02-21

Edit 21st of Feb 2023: a new key is used to sign the artifacts since 21st February 2023 to reflect the new company name. The old key id was BF019D784ED7F785

3 Replies to “How to verify that the downloaded package has not been compromised”

Leave a Reply

Your email address will not be published. Required fields are marked *