As you can see on our GitHub release page, as part of our release process we create a .asc file corresponding to each downloadable package. Files .asc are ASCII file containing a plain text digital signature of the corresponding package file.

How to verify the signature

  • Download and install GnuPG for your operating system
  • Download the package and the corresponding .asc and put them in the same directory
  • Run the command gpg -vv --verify package_name.asc, you will get something like:

    gpg --keyserver -vv --verify
    gpg: armor: BEGIN PGP SIGNATURE
    # off=0 ctb=89 tag=2 hlen=3 plen=563
    :signature packet: algo 1, keyid BF019D784ED7F785
        version 4, created 1546970066, md5len 0, sigclass 0x00
        digest algo 10, begin of digest 8d 2f
        hashed subpkt 33 len 21 (issuer fpr v4 3E2455BB66A07C8E5547BB2ABF019D784ED7F785)
        hashed subpkt 2 len 4 (sig created 2019-01-08)
        subpkt 16 len 8 (issuer key ID BF019D784ED7F785)
        data: [4095 bits]
    gpg: assuming signed data in ''
    gpg: Signature made mar 08 gen 2019 18:54:26 CET
    gpg:                con RSA chiave 3E2455BB66A07C8E5547BB2ABF019D784ED7F785

  • You can then verify the keyid against a public keyserver with the command gpg --search-keys BF019D784ED7F785 and you should get:

    gpg --keyserver --search-keys BF019D784ED7F785
    gpg: data source:
    (1)    Sober Lemur S.a.s. 
          4096 bit RSA key BF019D784ED7F785, created: 2018-12-20

Leave a Reply

Your email address will not be published.