About VirtualGL Developer Info
Library Related Projects |
Digital SignaturesTo ensure the integrity of official VirtualGL releases, the files in each release are signed using the methods described below. Source Tarball (VirtualGL 2.6.5 and later)The official source tarball is signed using the following GPG key: https://raw.githubusercontent.com/VirtualGL/repo/main/VGL-GPG-KEY To verify the source tarball signature: curl -sSL '{key URL}' | gpg --import - gpg --verify {.sig file} Source Tarball (VirtualGL 2.6.4 and earlier)The official source tarball is signed using the following GPG key: https://raw.githubusercontent.com/VirtualGL/repo/main/VGL-GPG-KEY-1024 To verify the source tarball signature: curl -sSL '{key URL}' | gpg --import - gpg --verify {.sig file} Linux (VirtualGL 2.6.5 and later)The RPM and DEB packages are signed using the following GPG key: https://raw.githubusercontent.com/VirtualGL/repo/main/VGL-GPG-KEY To verify the RPM package signatures: sudo rpm --import '{key URL}' rpm --checksig {RPM file} NOTE: The RPM packages in VirtualGL 3.0 rc1 and earlier (except for VirtualGL 2.6.x ESR) do not contain SHA-256 signatures, so it may not be possible to verify the signatures of those packages on systems that restrict the use of the SHA-1 algorithm. NOTE: The RPM packages in VirtualGL 3.0.1 and earlier do not contain SHA-256 header or payload digests, so it may not be possible to verify the signatures of those packages on FIPS-compliant systems. To verify the DEB package signatures: sudo apt-get install debsig-verify sudo debsig-import 4BACCAB36E7FE9A1 '{key URL}' debsig-verify {DEB file}
Linux (VirtualGL 2.6.4 and earlier)The RPM and DEB packages are signed using the following GPG key: https://raw.githubusercontent.com/VirtualGL/repo/main/VGL-GPG-KEY-1024 To verify the RPM package signatures: sudo rpm --import '{key URL}' rpm --checksig {RPM file} To verify the DEB package signatures: sudo apt-get install debsig-verify sudo debsig-import 6BBEFA1972FEB9CE '{key URL}' debsig-verify {DEB file}
NOTE: The DEB packages in VirtualGL 2.3 beta1 and earlier were not signed. Mac (VirtualGL 2.6.2 and later)The Mac installer package (.pkg) and DMG are signed using, respectively, a Developer ID Installer certificate and a Developer ID Application certificate obtained through the Apple Developer Program. To verify the Mac installer package/DMG signatures: codesign -vv {DMG file} hdid {DMG file} cd /Volumes/VirtualGL-* pkgutil --check-signature *.pkg Windows (VirtualGL 2.3 and later)The Windows installers are signed using a code signing certificate. To verify the Windows installer package signatures: Right-click on the .exe file and look at the "Digital Signatures" tab. If you have the Windows SDK installed, you can also run: signtool verify -pa {.exe file} |
All content on this web site is licensed under the Creative Commons Attribution 2.5 License. Any works containing material derived from this web site must cite The VirtualGL Project as the source of the material and list the current URL for the VirtualGL web site. |