1<appendix id="appendix-signatures" xreflabel="Verifying digital signatures"> 2 <title>Verifying digital signatures</title> 3 4 <sect1 id="repmgr-source-key" xreflabel="repmgr source key"> 5 <title>repmgr source code signing key</title> 6 <para> 7 The signing key ID used for <application>repmgr</application> source code bundles is: 8 <ulink url="https://repmgr.org/download/SOURCE-GPG-KEY-repmgr"> 9 <literal>0x297F1DCC</literal></ulink>. 10 </para> 11 12 <para> 13 To download the <application>repmgr</application> source key to your computer: 14 <programlisting> 15 curl -s https://repmgr.org/download/SOURCE-GPG-KEY-repmgr | gpg --import 16 gpg --fingerprint 0x297F1DCC 17 </programlisting> 18 then verify that the fingerprint is the expected value: 19 <programlisting> 20 085A BE38 6FD9 72CE 6365 340D 8365 683D 297F 1DCC</programlisting> 21 </para> 22 23 <para> 24 For checking tarballs, first download and import the <application>repmgr</application> 25 source signing key as shown above. Then download both source tarball and the detached 26 key (e.g. <filename>repmgr-4.0beta1.tar.gz</filename> and 27 <filename>repmgr-4.0beta1.tar.gz.asc</filename>) from 28 <ulink url="https://repmgr.org/download/">https://repmgr.org/download/</ulink> 29 and use <application>gpg</application> to verify the key, e.g.: 30 <programlisting> 31 gpg --verify repmgr-4.0beta1.tar.gz.asc</programlisting> 32 </para> 33 34 </sect1> 35 36 37</appendix> 38