Each file on the download page is accompanied by an OpenPGP signature (a file with the
same name as the package and the extension “.asc”).
It allows you to verify the file you’ve downloaded is exactly the one we intended you to get.
binjr‘s automatic update feature uses the same signatures to verify the integrity of the package it downloads before installing it.
First of all you need to have GnuPG installed before you can verify signatures.
If you are using Windows, you can install Gpg4win.
If you are using macOS, you can install GPGTools.
If you are using GNU/Linux, then you probably already have GnuPG in your system, as most GNU/Linux distributions come with it preinstalled.
Download the binjr developers signing key
curl https://binjr.eu/openpgpkey/binjr_dev_pub_keys.asc > binjr_dev_pub_keys.asc
Import the public key:
gpg --import binjr_dev_pub_keys.asc
Verify the signature for the package you would like to authenticate:
gpg --verify <package_name.extention>.asc <package_name.extention>
Make sure you have downloaded both the package and its signature (.asc).
If the verification is successful, the program should output something along these lines:
gpg: Signature made Mon Apr 27 23:51:53 2020 RDT gpg: using RSA key 412EC8A85400AC3F gpg: Good signature from "Frederic Thevenet <email@example.com>"