Skip to content

Verifying downloads

Each file on the download page is accompanied by an OpenPGP signature (a file with the same name as the package and the extension “.asc”).
It allows you to verify the file you’ve downloaded is exactly the one we intended you to get.

Info

binjr‘s automatic update feature uses the same signatures to verify the integrity of the package it downloads before installing it.

Installing GnuPG

First of all you need to have GnuPG installed before you can verify signatures.

If you are using Windows, you can install Gpg4win.

If you are using macOS, you can install GPGTools.

If you are using GNU/Linux, then you probably already have GnuPG in your system, as most GNU/Linux distributions come with it preinstalled.

Verifying signatures

  1. Download the binjr developers signing key

    curl https://binjr.eu/openpgpkey/binjr_dev_pub_keys.asc > binjr_dev_pub_keys.asc
    

  2. Import the public key:

    gpg --import binjr_dev_pub_keys.asc
    

  3. Verify the signature for the package you would like to authenticate:

    gpg --verify <package_name.extention>.asc <package_name.extention>
    

Tip

Make sure you have downloaded both the package and its signature (.asc).

If the verification is successful, the program should output something along these lines:

gpg: Signature made Mon Apr 27 23:51:53 2020 RDT
gpg:                using RSA key 412EC8A85400AC3F
gpg: Good signature from "Frederic Thevenet <thevenet.fred@free.fr>"

Back to top