BitchX source releases are cryptographically signed with OpenPGP
signatures. These signatures allow you to check that the file you've
downloaded is a faithful copy of the original released file and hasn't
been altered in any way, so it's a good idea to verify these signatures
when you download a release.
Verifying release signatures
As an example, to verify the bitchx-1.2.1.tar.gz release, you would
also download the corresponding signature bitchx-1.2.1.tar.gz.sign.
The "gpg" command to verify the signature is then:
$ gpg --verify bitchx-1.2.1.tar.gz.sign
If you haven't already downloaded the public key used to sign the release,
the output will be something like:
gpg: Signature made Tue 11 Nov 2014 23:37:58 AEDT using RSA key ID 676E9428
gpg: Can't check signature: public key not found
In this case, use the key ID (in this case, 676E9428) to download the
public key from a PGP keyserver:
$ gpg --keyserver pgp.mit.edu --recv-keys 676E9428
If you now run the verify command again, you should see something like:
gpg: Signature made Tue 11 Nov 2014 11:37:58 PM EST using RSA key ID 676E9428
gpg: Good signature from "Kevin Easton (BitchX Developer) <firstname.lastname@example.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 71A9 6550 25DE 3FD6 9863 E0E2 E32F C717 676E 9428
The warning is shown because you have not told GnuPG that you trust that the
signing key really belongs to who it says it does.
The current signing key in use is listed below, and if you wish to verify the
fingerprint you can contact caf in #bitchx on EFnet or freenode.
The most likely reason to see a "BAD signature" output from "gpg --verify"
is a corrupted downloaded file. Try downloading the file again and reverifying
If you still get "BAD signature", please contact us immediately so that
we can investigate.
Current signing key
The key used to sign current releases is key ID 676E9428, with fingerprint:
pub 4096R/676E9428 2012-05-26
Key fingerprint = 71A9 6550 25DE 3FD6 9863 E0E2 E32F C717 676E 9428
uid Kevin Easton (BitchX Developer) <email@example.com>