Verifying release signatures

As an example, to verify the bitchx-1.2.1.tar.gz release, you would also download the corresponding signature bitchx-1.2.1.tar.gz.sign.

The "gpg" command to verify the signature is then:

$ gpg --verify bitchx-1.2.1.tar.gz.sign

If you haven't already downloaded the public key used to sign the release, the output will be something like:

gpg: Signature made Tue 11 Nov 2014 23:37:58 AEDT using RSA key ID 676E9428
gpg: Can't check signature: public key not found

In this case, use the key ID (in this case, 676E9428) to download the public key from a PGP keyserver:

$ gpg --keyserver pgp.mit.edu --recv-keys 676E9428

If you now run the verify command again, you should see something like:

gpg: Signature made Tue 11 Nov 2014 11:37:58 PM EST using RSA key ID 676E9428
gpg: Good signature from "Kevin Easton (BitchX Developer) <caf@bitchx.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 71A9 6550 25DE 3FD6 9863  E0E2 E32F C717 676E 9428

The warning is shown because you have not told GnuPG that you trust that the signing key really belongs to who it says it does.

The current signing key in use is listed below, and if you wish to verify the fingerprint you can contact caf in #bitchx on EFnet or freenode.

Verification failures

The most likely reason to see a "BAD signature" output from "gpg --verify" is a corrupted downloaded file. Try downloading the file again and reverifying the signature.

If you still get "BAD signature", please contact us immediately so that we can investigate.

Current signing key

The key used to sign current releases is key ID 676E9428, with fingerprint:

pub   4096R/676E9428 2012-05-26
      Key fingerprint = 71A9 6550 25DE 3FD6 9863  E0E2 E32F C717 676E 9428
uid                  Kevin Easton (BitchX Developer) <caf@bitchx.org>