PGP Signatures

We want you to feel safe using our products, and to make sure you're using authentic builds of Review Board.

We cryptographically sign all of our downloads using PGP signatures. You can download the signatures to verify that the files are indeed created by us and have not been tampered with or corrupted.

Here's how it works

Every single file available on downloads.reviewboard.org comes with a matching .asc file, which contains a PGP signature. This signature identifies the build was signed by our private key or one of its subkeys (listed below), which is unique to us and carefully protected.

Each grouping of downloads for a given release also has a matching .sha256sum file, which contains the SHA-256 checksums for each file in the release. You can verify those checksums to be sure you're getting what you expect. This file also has a matching .asc signature file.

How to verify our signatures

Installing the software

To validate the authenticity of the files, you'll need two tools:

• sha256sum: Validates SHA-256 checksums
• GnuPG: The GNU Privacy Guard, for validating signatures

If you're running Linux/MacOS X, you probably have sha256sum, and you can get GnuPG from either your package manager or from GnuPG.org.

If you're running Windows, you can get these from Cygwin. Alternatively, you can download standalone versions of both:

• sha256sum.exe for Windows
• Gpg4Win

Here are some tutorials on how all this works, and how to get started:

• "The Best PGP Tutorial for Mac OS X, Ever"
• "PGP Tutorial for Newbs (Gpg4Win)"
• GnuPG How To from Ubuntu

Adding our key

Once you have GnuPG installed, you'll need our PGP public key. This is used to verify the signatures in the .asc files. You can fetch this through a terminal by typing:

$ gpg --recv-keys 285291B34ED1F993
gpg: requesting key 4ED1F993 from hkps server hkps.pool.sks-keyservers.net
gpg: key 4ED1F993: public key "Beanbag, Inc. (Support) <support@beanbaginc.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Signing our key (optional)

Now that you have the key, you can locally sign it with your own private key in order to trust it. You don't have to do this, but it means you don't have to check all the fingerprints later every time you go to verify a build.

By locally signing, your trust in the key will remain purely local to your system, and won't become part of the web of trust. You'll do this with the --lsign-key command. If you do fully trust this key and wish to state that fact (for instance, if you're convinced in the authenticity by fully trusting that what you're reading right now is legit, and have verified this key was signed by people you trust) then you can sign normally with --sign-key instead.

(If you don't have a private key, follow one of the tutorials above to get one.)

$ gpg --lsign-key 285291B34ED1F993
pub  4096R/4ED1F993  created: 2015-05-23  expires: 2021-10-27  usage: SC
                     trust: unknown       validity: unknown
sub  2048R/E47A2499  created: 2015-05-23  expires: 2021-10-27  usage: S
sub  2048R/82FB3BC7  created: 2015-05-23  expires: 2021-10-27  usage: E
sub  2048R/15A49BAB  created: 2015-05-23  expires: 2021-10-27  usage: A
sub  2048R/45668428  created: 2015-05-26  expires: 2021-10-27  usage: S
sub  2048R/E76A450C  created: 2016-01-14  expires: 2021-10-27  usage: E
sub  2048R/C444966C  created: 2015-05-26  expires: 2021-10-27  usage: A
sub  2048R/27F894C8  created: 2016-01-14  expires: 2021-10-27  usage: S
sub  2048R/3A46BCD8  created: 2016-01-14  expires: 2021-10-27  usage: E
sub  2048R/1F6FF592  created: 2016-01-14  expires: 2021-10-27  usage: A
[ unknown] (1). Beanbag, Inc. (Support) <support@beanbaginc.com>
[ unknown] (2)  Beanbag, Inc. (Sales) <sales@beanbaginc.com>
[ unknown] (3)  Review Board Project Team <reviewboard@googlegroups.com>

Really sign all user IDs? (y/N) y

pub  4096R/4ED1F993  created: 2015-05-23  expires: 2021-10-27  usage: SC
                     trust: unknown       validity: unknown
 Primary key fingerprint: 09D5 06DA BB62 A09E 891D  A9F3 2852 91B3 4ED1 F993

     Beanbag, Inc. (Support) <support@beanbaginc.com>
     Beanbag, Inc. (Sales) <sales@beanbaginc.com>
     Review Board Project Team <reviewboard@googlegroups.com>

This key is due to expire on 2021-10-27.
Are you sure that you want to sign this key with your
key "Your key information"

The signature will be marked as non-exportable.

Really sign? (y/N) y

That's a lot of information to throw at you, but it's just giving you a complete understanding of our key. Make sure to verify what you see with what's here. If it's different, it's not our key.

When prompted, enter the password you've set for your own private key. Congrats, it's signed! You can now verify our signatures.

Verifying signatures

Now that you have the key, you can verify a signature of a download. Once you've downloaded a file, download its corresponding .asc file as well. In this example, we'll use ReviewBoard-2.0.19.tar.gz and ReviewBoard-2.0.19.tar.gz.asc.

$ gpg --verify ReviewBoard-2.0.19.tar.gz.asc
gpg: assuming signed data in 'ReviewBoard-2.0.19.tar.gz'
gpg: Signature made Mon Aug 24 22:07:45 2015 PDT using RSA key ID E47A2499
gpg: Good signature from "Beanbag, Inc. (Support) <support@beanbaginc.com>" [ultimate]
gpg:                 aka "Review Board Project Team <reviewboard@googlegroups.com>" [ultimate]
gpg:                 aka "Beanbag, Inc. (Sales) <sales@beanbaginc.com>" [ultimate]

If you didn't locally-sign our key above, this will warn that the key is not certificate with a trusted signature.

Note again that this will be signed by one of our subkeys, listed above. If you get an error of any sort, make sure the file has not been corrupted. If it continues, please send an e-mail to support@beanbaginc.com immediately.

Verifying SHA-256 checksums

You can also verify the checksums independently by fetching the desired files in the build along with the .sha256sum file. Run:

$ sha256sum -c filename.sha256sum
filename: OK

If you've only downloaded some of the files listed in the .sha256sum file, you'll get warnings about missing files. You can ignore those.

PGP Keys

Our builds will be identified with one of the following key IDs:

pub  4096R/285291B34ED1F993  created: 2015-05-23  expires: 2021-10-27  usage: SC
     key fingerprint = 09D5 06DA BB62 A09E 891D  A9F3 2852 91B3 4ED1 F993
sub  2048R/432CCE35E47A2499  created: 2015-05-23  expires: 2021-10-27  usage: S
     key fingerprint = E2E3 780A D76C 47A5 9E7F  A118 432C CE35 E47A 2499
sub  2048R/C02DA2A645668428  created: 2015-05-26  expires: 2021-10-27  usage: S
     key fingerprint = 40A3 5561 8EEB A026 62AE  AF76 C02D A2A6 4566 8428
sub  2048R/C7B6E95327F894C8  created: 2016-01-14  expires: 2021-10-27  usage: S
     key fingerprint = C6A9 F8B2 F409 B61D 406E  3B18 C7B6 E953 27F8 94C8

Download the public key.