IgnorantGuru's Blog

Linux software, news, and tips


All of my software and source code is signed for your protection. Verifying the authenticity of downloaded files prior to installation is important to ensure that your download is not corrupt and that no one has tampered with the server holding the files.

When downloading files from github, the authentication steps below are generally not necessary, as git includes strong integrity-checking mechanisms.

All source tarballs and packages are distributed with a file named PROGRAMVERSION.SHA256.asc. (On github, these files will be located in the packages subfolder.) Download this asc file as well as the source or package files you need, and follow these instructions to authenticate:

1) If you don't already have IgnorantGuru's CURRENT key on your keyring:

 gpg --keyserver keys.gnupg.net --recv-keys 0x01937621 0x107165A1
 (if you receive an error, try again)
Also visually verify that the given fingerprint matches the one shown here:

2) Check signature and files (substitute values for PROGRAM and VERSION):

  gpg -d PROGRAM-VERSION.SHA256.asc | sha256sum --check

This should report a good signature and an OK for each file present:  

    gpg: Signature made <SIGNATURE DATE> using DSA key ID 01937621 [or 107165A1]
    gpg: Good signature from IgnorantGuru <EMAIL>
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    sha256sum: WARNING: x lines are improperly formatted

If "BAD signature" or the wrong key ID is reported, or if FAILED appears
next to any file you plan to use, DO NOT USE the file.  A "key is not
certified" warning (shown above) is normal and can be safely ignored if
you visually verified the key fingerprint in step 1.
%d bloggers like this: