title: Verifying snapshots with signify date: 2019-01-01 author: Wynn Wolf Arbor I use the [signify](https://flak.tedunangst.com/post/signify) tool to cryptographically sign all software downloads you will find on this site and on [git.oriole.systems](https://git.oriole.systems). Whilst you technically don't need `signify` to verify the _integrity_ of downloaded files, I strongly recommend using it to also verify the _signature_. A portable version of the tool is available [here](https://github.com/aperezdc/signify). **Note**: Firefox is [bugged](https://bugzilla.mozilla.org/show_bug.cgi?id=610679) when it comes to downloading content that is already compressed. Tarballs that were downloaded with Firefox will **fail** verification. Please make sure to use another browser or a tool like `curl` or `wget` to obtain the tarballs. ### Obtaining the signature and checksum Whether or not you decide to use `signify` to verify downloaded files, you need to obtain the detached signature linked on the respective project page or git repository[^1]. It contains the signature as well as the checksum. ### Obtaining the public key To fully verify a download with `signify`, first obtain [my public key](/release.pub). I keep a copy of the same key on DNS, feel free to verify it therewith: $ drill TXT releasekey.oriole.systems Another copy of the key exists on the [Libera.Chat](https://libera.chat) IRC servers, in my taxonomy data: /msg NickServ taxonomy wynn You may want to keep the public key saved on your system for future verifications. ### Verification with signify Once you have downloaded my public key, run the following to verify your download: $ signify -C -p release.pub -x .asc Signature Verified : OK ### Verification with sha256sum Alternatively, if you don't want to install `signify`, you can use the `sha256sum` tool to only verify the integrity of the download: $ tail -n1 .asc | sha256sum -c : OK [^1]: If you are interested in how this is put together, check out [this](signify-cgit) post.