1<appendix id="appendix-signatures" xreflabel="Verifying digital signatures">
2 <title>Verifying digital signatures</title>
3
4 <sect1 id="repmgr-source-key" xreflabel="repmgr source key">
5   <title>repmgr source code signing key</title>
6   <para>
7     The signing key ID used for <application>repmgr</application> source code bundles is:
8     <ulink url="https://repmgr.org/download/SOURCE-GPG-KEY-repmgr">
9       <literal>0x297F1DCC</literal></ulink>.
10   </para>
11
12   <para>
13     To download the <application>repmgr</application> source key to your computer:
14     <programlisting>
15       curl -s https://repmgr.org/download/SOURCE-GPG-KEY-repmgr | gpg --import
16       gpg --fingerprint 0x297F1DCC
17     </programlisting>
18     then verify that the fingerprint is the expected value:
19     <programlisting>
20       085A BE38 6FD9 72CE 6365  340D 8365 683D 297F 1DCC</programlisting>
21   </para>
22
23   <para>
24     For checking tarballs, first download and import the <application>repmgr</application>
25     source signing key as shown above. Then download both source tarball and the detached
26     key (e.g. <filename>repmgr-4.0beta1.tar.gz</filename> and
27     <filename>repmgr-4.0beta1.tar.gz.asc</filename>) from
28     <ulink url="https://repmgr.org/download/">https://repmgr.org/download/</ulink>
29     and use <application>gpg</application> to verify the key, e.g.:
30     <programlisting>
31       gpg --verify repmgr-4.0beta1.tar.gz.asc</programlisting>
32   </para>
33
34 </sect1>
35
36
37</appendix>
38