INTEGRITY

my gpg key

I use a gpg key to sign all the packages. It is available on this web site (gpg.asc), but also on gpg key servers :

• keyserver.ubuntu.com
• keys.openpgp.org
• pgp.mit.edu

check rpm packages

rpm packages are signed by default.
you have to import my gpg key with the following command : gpg --import gpg.asc
then you can check the rpm packages with the code : rpm -Kv afick*.rpm
the result should be something like :
afick-3.8.0-1.noarch.rpm:
Entête V4 RSA/SHA256 Signature, clé ID 980514b7: OK
Entête SHA256 digest: OK
Entête SHA1 digest: OK
Payload SHA256 digest: OK
MD5 digest: OK

check deb packages

deb packages are signed with the dpkg-sig tool
then you can check the deb packages with the code : dpkg-sig --verify afick_3.8.0-1debian_all.deb
and the result should be something like:
Processing afick_3.8.0-1debian_all.deb...
GOODSIG _gpggerbier E5CCCF9B09CA63803DCE4C9DBE1EE0FE980514B7 1686471770

check others packages

For other archives (tar, zip, exe, ...), an extra "sig" file is provided, and you can check the integrity with the gpg command. For example : gpg --verify afick-setup-3.8.0.exe.sig afick-setup-3.8.0.exe
which will output something like :
gpg: Signature made Sat Jun 10 15:02:11 2023 CEST
gpg: using RSA key E5CCCF9B09CA63803DCE4C9DBE1EE0FE980514B7
gpg: issuer "eric.gerbier@tutanota.com"
gpg: Good signature from "Eric Gerbier " [ultimate]
gpg: aka "Eric Gerbier " [ultimate]

---

back to main page