We want you to feel safe using our products, and to make sure you're using authentic builds of Review Board.
We cryptographically sign all of our downloads using PGP signatures. You can download the signatures to verify that the files are indeed created by us and have not been tampered with or corrupted.
Here's how it works
Every single file available on downloads.reviewboard.org comes with a matching .asc file, which contains a PGP signature. This signature identifies the build was signed by our private key or one of its subkeys (listed below), which is unique to us and carefully protected.
Each grouping of downloads for a given release also has a matching .sha256sum file, which contains the SHA-256 checksums for each file in the release. You can verify those checksums to be sure you're getting what you expect. This file also has a matching .asc signature file.
How to verify our signatures
Installing the software
To validate the authenticity of the files, you'll need two tools:
- sha256sum: Validates SHA-256 checksums
- GnuPG: The GNU Privacy Guard, for validating signatures
If you're running Linux/MacOS X, you probably have sha256sum, and you can get GnuPG from either your package manager or from GnuPG.org.
If you're running Windows, you can get these from Cygwin. Alternatively, you can download standalone versions of both:
Here are some tutorials on how all this works, and how to get started:
- "The Best PGP Tutorial for Mac OS X, Ever"
- "PGP Tutorial for Newbs (Gpg4Win)"
- GnuPG How To from Ubuntu
Adding our key
Once you have GnuPG installed, you'll need our PGP public key. This is used to verify the signatures in the .asc files. You can fetch this through a terminal by typing:
$ gpg --recv-keys 285291B34ED1F993 gpg: requesting key 4ED1F993 from hkps server hkps.pool.sks-keyservers.net gpg: key 4ED1F993: public key "Beanbag, Inc. (Support) <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
Signing our key (optional)
Now that you have the key, you can locally sign it with your own private key in order to trust it. You don't have to do this, but it means you don't have to check all the fingerprints later every time you go to verify a build.
By locally signing, your trust in the key will remain purely local to your system, and won't become part of the web of trust. You'll do this with the --lsign-key command. If you do fully trust this key and wish to state that fact (for instance, if you're convinced in the authenticity by fully trusting that what you're reading right now is legit, and have verified this key was signed by people you trust) then you can sign normally with --sign-key instead.
(If you don't have a private key, follow one of the tutorials above to get one.)
$ gpg --lsign-key 285291B34ED1F993 pub 4096R/4ED1F993 created: 2015-05-23 expires: 2021-10-27 usage: SC trust: unknown validity: unknown sub 2048R/E47A2499 created: 2015-05-23 expires: 2021-10-27 usage: S sub 2048R/82FB3BC7 created: 2015-05-23 expires: 2021-10-27 usage: E sub 2048R/15A49BAB created: 2015-05-23 expires: 2021-10-27 usage: A sub 2048R/45668428 created: 2015-05-26 expires: 2021-10-27 usage: S sub 2048R/E76A450C created: 2016-01-14 expires: 2021-10-27 usage: E sub 2048R/C444966C created: 2015-05-26 expires: 2021-10-27 usage: A sub 2048R/27F894C8 created: 2016-01-14 expires: 2021-10-27 usage: S sub 2048R/3A46BCD8 created: 2016-01-14 expires: 2021-10-27 usage: E sub 2048R/1F6FF592 created: 2016-01-14 expires: 2021-10-27 usage: A [ unknown] (1). Beanbag, Inc. (Support) <[email protected]> [ unknown] (2) Beanbag, Inc. (Sales) <[email protected]> [ unknown] (3) Review Board Project Team <[email protected]> Really sign all user IDs? (y/N) y pub 4096R/4ED1F993 created: 2015-05-23 expires: 2021-10-27 usage: SC trust: unknown validity: unknown Primary key fingerprint: 09D5 06DA BB62 A09E 891D A9F3 2852 91B3 4ED1 F993 Beanbag, Inc. (Support) <[email protected]> Beanbag, Inc. (Sales) <[email protected]> Review Board Project Team <[email protected]> This key is due to expire on 2021-10-27. Are you sure that you want to sign this key with your key "Your key information" The signature will be marked as non-exportable. Really sign? (y/N) y
That's a lot of information to throw at you, but it's just giving you a complete understanding of our key. Make sure to verify what you see with what's here. If it's different, it's not our key.
When prompted, enter the password you've set for your own private key. Congrats, it's signed! You can now verify our signatures.
Verifying signatures
Now that you have the key, you can verify a signature of a download. Once you've downloaded a file, download its corresponding .asc file as well. In this example, we'll use ReviewBoard-2.0.19.tar.gz and ReviewBoard-2.0.19.tar.gz.asc.
$ gpg --verify ReviewBoard-2.0.19.tar.gz.asc gpg: assuming signed data in 'ReviewBoard-2.0.19.tar.gz' gpg: Signature made Mon Aug 24 22:07:45 2015 PDT using RSA key ID E47A2499 gpg: Good signature from "Beanbag, Inc. (Support) <[email protected]>" [ultimate] gpg: aka "Review Board Project Team <[email protected]>" [ultimate] gpg: aka "Beanbag, Inc. (Sales) <[email protected]>" [ultimate]
If you didn't locally-sign our key above, this will warn that the key is not certificate with a trusted signature.
Note again that this will be signed by one of our subkeys, listed above. If you get an error of any sort, make sure the file has not been corrupted. If it continues, please send an e-mail to [email protected] immediately.
Verifying SHA-256 checksums
You can also verify the checksums independently by fetching the desired files in the build along with the .sha256sum file. Run:
$ sha256sum -c filename.sha256sum filename: OK
If you've only downloaded some of the files listed in the .sha256sum file, you'll get warnings about missing files. You can ignore those.
PGP Keys
Our builds will be identified with one of the following key IDs:
pub 4096R/285291B34ED1F993 created: 2015-05-23 expires: 2021-10-27 usage: SC key fingerprint = 09D5 06DA BB62 A09E 891D A9F3 2852 91B3 4ED1 F993 sub 2048R/432CCE35E47A2499 created: 2015-05-23 expires: 2021-10-27 usage: S key fingerprint = E2E3 780A D76C 47A5 9E7F A118 432C CE35 E47A 2499 sub 2048R/C02DA2A645668428 created: 2015-05-26 expires: 2021-10-27 usage: S key fingerprint = 40A3 5561 8EEB A026 62AE AF76 C02D A2A6 4566 8428 sub 2048R/C7B6E95327F894C8 created: 2016-01-14 expires: 2021-10-27 usage: S key fingerprint = C6A9 F8B2 F409 B61D 406E 3B18 C7B6 E953 27F8 94C8