Skip to content

Verification

All releases are signed by one of the Jam contributors. As of this writing (742,834), releases are signed with dergigi's PGP key which has the following fingerprint:

8198 A185 30A5 22A0 9561 2439 89C4 A25E 69A5 DE7F

To verify a specific release, import the key

curl https://dergigi.com/PGP.txt | gpg --import

and verify the git tag of your local copy:

git verify-tag v0.0.10

This should produce an output that contains "good signature" as well as the key fingerprint mentioned above:

gpg: Signature made Fr  5 Aug 14:17:58 2022 CEST
gpg:                using RSA key 8198A18530A522A09561243989C4A25E69A5DE7F
gpg: Good signature from "Gigi <dergigi@pm.me>" [unknown]
...
Primary key fingerprint: 8198 A185 30A5 22A0 9561  2439 89C4 A25E 69A5 DE7F

You can also see if a release was signed properly by clicking on the verification tag Verification badge next to the version number on the releases page on GitHub.

It should say that "This tag was signed with the committer’s verified signature" and show you the last 16 characters of the GPG key ID listed above (89C4 A25E 69A5 DE7F).