Checksum and Signature Verification#

If you would like to verify the checksum and signature of a download, please perform the following steps:

  • Download the package, signature and SHASUMS files
  • Verify the SHASUMS matches the package file
  • Verify the package file is properly signed

For example:

# Download the package and signature files.

# Verify the SHASUMS matches the package file.
shasum -a 256 -c SHASUMS

# Import our public key - one-time step.
$ wget -qO- | gpg --import
# Verify the signature files.
$ gpg --verify spunkybot-1.14.0.tar.gz.asc spunkybot-1.14.0.tar.gz
$ gpg --verify SHASUMS.sig SHASUMS