TrustTunnel/TrustTunnelClient
1
0
Fork 0
mirror of https://github.com/TrustTunnel/TrustTunnelClient.git synced 2026-05-22 19:41:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
TrustTunnelClient/VERIFY_RELEASES.md
T
Aleksei Zhavoronkov 4e1757efed Pull request 609: Add GPG signing for trusttunnel_client 
Squashed commit of the following:

commit 0ed11c988f35f1b19ce7f6b726b76d6d7b8479f4
Author: Sergey Fionov <sfionov@adguard.com>
Date:   Tue Feb 3 13:41:27 2026 +0000

    Applied suggestion: fix version

commit ffb1463d8586f3875ecdddc571de8ceea6cfe653
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date:   Tue Feb 3 16:36:05 2026 +0300

    Add guide how to verify releases

commit 257c725db05cf8faa3a4687949ce0529d69fb1d4
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date:   Tue Feb 3 16:35:37 2026 +0300

    Update CHANGELOG

commit e9857b629b26eb850844e7f84df622b6b3d78ef7
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date:   Tue Feb 3 15:23:50 2026 +0300

    fix

commit c0e3376bc731c51415940060476d33367b27a347
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date:   Tue Feb 3 13:59:47 2026 +0300

    Add GPG signing for trusttunnel_client
2026-02-03 14:47:31 +00:00

2.1 KiB
Raw Permalink Blame History

Verifying TrustTunnelClient Releases

Since TrustTunnelClient v0.99.104 we sign the executable files we build so that you can verify they are really created by us and no one else. Inside an archive file there's a small file with .sig extension which contains the signature data. In a hypothetic situation when the binary file inside an archive is replaced by someone, you'll know that it isn't an official release from AdGuard.

How to verify that the executable file was built by AdGuard?

  1. Unpack the TrustTunnelClient archive file.

  2. Import TrustTunnelClient public key from keyserver. For current release, run:

    gpg --keyserver 'keys.openpgp.org' --recv-key '28645AC9776EC4C00BCE2AFC0FE641E7235E2EC6'

    The above command will print something similar to:

    gpg: key 0FE641E7235E2EC6: public key "AdGuard <devteam@adguard.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

  3. Verify. On Unix:

    gpg --verify trusttunnel_client/setup_wizard.sig
gpg --verify trusttunnel_client/trusttunnel_client.sig

    On Windows (you might need to install PGP):

    gpg --verify trusttunnel_client/setup_wizard.exe.sig
gpg --verify trusttunnel_client/trusttunnel_client.exe.sig

    You'll see something like this:

    gpg: assuming signed data in 'trusttunnel_client'
gpg: Signature made Mon 2 Feb 2026 19:30:55 MSK
gpg:                using RSA key 28645AC9776EC4C00BCE2AFC0FE641E7235E2EC6
gpg:                issuer "devteam@adguard.com"
gpg: Good signature from "AdGuard <devteam@adguard.com>" [ultimate]

    Check the following:

    • RSA key: must be 28645AC9776EC4C00BCE2AFC0FE641E7235E2EC6;
    • Issuer name: must be AdGuard;
    • E-mail address: must be devteam@adguard.com.

    There may also be the following warning:

    gpg: WARNING: The key's User ID is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2864 5AC9 776E C4C0 0BCE  2AFC 0FE6 41E7 235E 2EC6
Reference in New Issue View Git Blame Copy Permalink