Files
Stirling-PDF/docs/security/VERIFYING_RELEASES.md
T

115 lines
4.0 KiB
Markdown

# Verifying Stirling-PDF Release Artifacts
Every Linux release artifact (`.AppImage`, `.rpm`, `.deb`) is signed with the
**Stirling-PDF release signing key**. Users are encouraged to verify downloads
before running them, especially when obtaining Stirling-PDF from a mirror,
redistributor, or any source other than the official
[GitHub Releases page](https://github.com/Stirling-Tools/Stirling-PDF/releases).
## Signing key
| Field | Value |
|--------------|----------------------------------------------------|
| User ID | `Stirling PDF Inc. <[email protected]>` |
| Fingerprint | `EBB9 258B FEA4 7D92 342F 00DF B8C0 96A5 9BEF 2A8B` |
| Algorithm | RSA-4096 |
| Valid until | 2031-04-16 |
The public key is committed to this repository at
[`docs/security/signing-key.pub`](signing-key.pub) and is also published on:
- https://keys.openpgp.org/search?q=EBB9258BFEA47D92342F00DFB8C096A59BEF2A8B
- https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xEBB9258BFEA47D92342F00DFB8C096A59BEF2A8B
Cross-checking the fingerprint from two independent sources (the repository and
a keyserver) is the recommended way to be sure you've obtained the genuine key.
## One-time setup — import the public key
```bash
# Option 1 — from the repo over HTTPS
curl -fsSL https://raw.githubusercontent.com/Stirling-Tools/Stirling-PDF/main/docs/security/signing-key.pub \
| gpg --import
# Option 2 — from a keyserver
gpg --keyserver hkps://keys.openpgp.org \
--recv-keys EBB9258BFEA47D92342F00DFB8C096A59BEF2A8B
```
Confirm the fingerprint matches after import:
```bash
gpg --fingerprint [email protected]
# Expected: EBB9 258B FEA4 7D92 342F 00DF B8C0 96A5 9BEF 2A8B
```
## Verifying an `.AppImage`
Tauri's AppImage bundler embeds the signature inside the AppImage itself via
`appimagetool --sign`. Extract and verify:
```bash
# --appimage-signature prints the embedded signature
./Stirling-PDF_*.AppImage --appimage-signature > sig.asc
./Stirling-PDF_*.AppImage --appimage-offset # shows the offset
# Verify the payload signature against the key
gpg --verify sig.asc Stirling-PDF_*.AppImage
```
A successful result looks like:
```
gpg: Good signature from "Stirling PDF Inc. <[email protected]>" [ultimate]
```
## Verifying an `.rpm`
RPM signatures are verified via `rpm --checksig`:
```bash
# Import the key into rpm's keyring
sudo rpm --import docs/security/signing-key.pub # if working from a clone
# OR
sudo rpm --import https://raw.githubusercontent.com/Stirling-Tools/Stirling-PDF/main/docs/security/signing-key.pub
# Verify the package
rpm --checksig Stirling-PDF-*.rpm
# Expected output ends with: "digests signatures OK"
```
## Verifying a `.deb`
Debian packages are signed with a detached `.asc` file distributed alongside
the `.deb` on the release page:
```bash
gpg --verify Stirling-PDF-*.deb.asc Stirling-PDF-*.deb
```
## What if verification fails?
A failed signature check means **do not install the file**. Possible causes:
- The download was corrupted — try again from the
[official releases](https://github.com/Stirling-Tools/Stirling-PDF/releases).
- You obtained the file from a malicious mirror — get it from the official
source.
- The signing key has rotated — check this document on the latest `main` for
the current fingerprint.
If none of those explain it, please open a security report at
https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/new.
## Key rotation policy
The signing key expires on **2031-04-16**. We will publish a new key at least
six months before expiry. The transition process:
1. A new key is announced in release notes and this document is updated.
2. The last few releases will be co-signed with both the old and new keys.
3. The old key is published with a revocation notice once the transition is
complete.
If the signing key is ever compromised, a revocation certificate will be
published immediately to both keyservers and to this document.