BitchX source releases are cryptographically signed with OpenPGP signatures. These signatures allow you to check that the file you've downloaded is a faithful copy of the original released file and hasn't been altered in any way, so it's a good idea to verify these signatures when you download a release.
Verifying release signatures
As an example, to verify the bitchx-1.2.1.tar.gz release, you would also download the corresponding signature bitchx-1.2.1.tar.gz.sign.
The "gpg" command to verify the signature is then:
$ gpg --verify bitchx-1.2.1.tar.gz.sign
If you haven't already downloaded the public key used to sign the release, the output will be something like:
gpg: Signature made Tue 11 Nov 2014 23:37:58 AEDT using RSA key ID 676E9428 gpg: Can't check signature: public key not found
In this case, use the key ID (in this case, 676E9428) to download the public key from a PGP keyserver:
$ gpg --keyserver pgp.mit.edu --recv-keys 676E9428
If you now run the verify command again, you should see something like:
gpg: Signature made Tue 11 Nov 2014 11:37:58 PM EST using RSA key ID 676E9428 gpg: Good signature from "Kevin Easton (BitchX Developer) <email@example.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 71A9 6550 25DE 3FD6 9863 E0E2 E32F C717 676E 9428
The warning is shown because you have not told GnuPG that you trust that the signing key really belongs to who it says it does.
The current signing key in use is listed below, and if you wish to verify the fingerprint you can contact caf in #bitchx on EFnet or freenode.
The most likely reason to see a "BAD signature" output from "gpg --verify" is a corrupted downloaded file. Try downloading the file again and reverifying the signature.
If you still get "BAD signature", please contact us immediately so that we can investigate.
Current signing key
The key used to sign current releases is key ID 676E9428, with fingerprint:
pub 4096R/676E9428 2012-05-26 Key fingerprint = 71A9 6550 25DE 3FD6 9863 E0E2 E32F C717 676E 9428 uid Kevin Easton (BitchX Developer) <firstname.lastname@example.org>