Recent Changes - Search:

VirtualGL Home

About VirtualGL

Downloads

Documentation

Developer Info

Library

Contact

Related Projects

Digital Signatures

To ensure the integrity of official VirtualGL releases, the files in each release are signed using the methods described below.

Source Tarball (VirtualGL 2.6.5 and later)

The official source tarball is signed using the following GPG key:

https://raw.githubusercontent.com/VirtualGL/repo/main/VGL-GPG-KEY
or
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xae1a7ba4efff9a9987e1474c4baccab36e7fe9a1

To verify the source tarball signature:

curl -sSL '{key URL}' | gpg --import -
gpg --verify {.sig file}

Source Tarball (VirtualGL 2.6.4 and earlier)

The official source tarball is signed using the following GPG key:

https://raw.githubusercontent.com/VirtualGL/repo/main/VGL-GPG-KEY-1024
or
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xecf01671d05e2a105ff84dc46bbefa1972feb9ce

To verify the source tarball signature:

curl -sSL '{key URL}' | gpg --import -
gpg --verify {.sig file}

Linux (VirtualGL 2.6.5 and later)

The RPM and DEB packages are signed using the following GPG key:

https://raw.githubusercontent.com/VirtualGL/repo/main/VGL-GPG-KEY
or
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xae1a7ba4efff9a9987e1474c4baccab36e7fe9a1

To verify the RPM package signatures:

sudo rpm --import '{key URL}'
rpm --checksig {RPM file}

NOTE: The RPM packages in VirtualGL 3.0 rc1 and earlier (except for VirtualGL 2.6.x ESR) do not contain SHA-256 signatures, so it may not be possible to verify the signatures of those packages on systems that restrict the use of the SHA-1 algorithm.

NOTE: The RPM packages in VirtualGL 3.0.1 and earlier do not contain SHA-256 header or payload digests, so it may not be possible to verify the signatures of those packages on FIPS-compliant systems.

To verify the DEB package signatures:

sudo apt-get install debsig-verify
sudo debsig-import 4BACCAB36E7FE9A1 '{key URL}'
debsig-verify {DEB file}

debsig-import is available here.

Linux (VirtualGL 2.6.4 and earlier)

The RPM and DEB packages are signed using the following GPG key:

https://raw.githubusercontent.com/VirtualGL/repo/main/VGL-GPG-KEY-1024
or
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xecf01671d05e2a105ff84dc46bbefa1972feb9ce

To verify the RPM package signatures:

sudo rpm --import '{key URL}'
rpm --checksig {RPM file}

To verify the DEB package signatures:

sudo apt-get install debsig-verify
sudo debsig-import 6BBEFA1972FEB9CE '{key URL}'
debsig-verify {DEB file}

debsig-import is available here.

NOTE: The DEB packages in VirtualGL 2.3 beta1 and earlier were not signed.

Mac (VirtualGL 2.6.2 and later)

The Mac installer package (.pkg) and DMG are signed using, respectively, a Developer ID Installer certificate and a Developer ID Application certificate obtained through the Apple Developer Program.

To verify the Mac installer package/DMG signatures:

codesign -vv {DMG file}
hdid {DMG file}
cd /Volumes/VirtualGL-*
pkgutil --check-signature *.pkg

Windows (VirtualGL 2.3 and later)

The Windows installers are signed using a code signing certificate.

To verify the Windows installer package signatures:

Right-click on the .exe file and look at the "Digital Signatures" tab. If you have the Windows SDK installed, you can also run:

signtool verify -pa {.exe file}
Creative Commons LicenseAll content on this web site is licensed under the Creative Commons Attribution 2.5 License. Any works containing material derived from this web site must cite The VirtualGL Project as the source of the material and list the current URL for the VirtualGL web site.

Edit - History - Print - Recent Changes - Search
Page last modified on December 02, 2023, at 11:51 AM