Recent Changes - Search:

TurboVNC Home

About TurboVNC

Downloads

Documentation

Reports

Developer Info

Contact

Related Projects

Digital Signatures

To ensure the integrity of official TurboVNC releases, the files in each release are signed using the methods described below.

Source Tarball (TurboVNC 2.2.6 and later)

The official source tarball is signed using the following GPG key:

https://raw.githubusercontent.com/TurboVNC/repo/main/VGL-GPG-KEY
or
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xae1a7ba4efff9a9987e1474c4baccab36e7fe9a1

To verify the source tarball signature:

curl -sSL '{key URL}' | gpg --import -
gpg --verify {.sig file}

Source Tarball (TurboVNC 2.2.5 and earlier)

The official source tarball is signed using the following GPG key:

https://raw.githubusercontent.com/TurboVNC/repo/main/VGL-GPG-KEY-1024
or
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xecf01671d05e2a105ff84dc46bbefa1972feb9ce

To verify the source tarball signature:

curl -sSL '{key URL}' | gpg --import -
gpg --verify {.sig file}

Linux (TurboVNC 2.2.6 and later)

The RPM and DEB packages are signed using the following GPG key:

https://raw.githubusercontent.com/TurboVNC/repo/main/VGL-GPG-KEY
or
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xae1a7ba4efff9a9987e1474c4baccab36e7fe9a1

To verify the RPM package signatures:

sudo rpm --import '{key URL}'
rpm --checksig {RPM file}

NOTE: The RPM packages in TurboVNC 3.0 beta1 and earlier (except for TurboVNC 2.2.x ESR) do not contain SHA-256 signatures, so it may not be possible to verify the signatures of those packages on systems that restrict the use of the SHA-1 algorithm.

NOTE: The RPM packages in TurboVNC 3.0.1 and earlier do not contain SHA-256 header or payload digests, so it may not be possible to verify the signatures of those packages on FIPS-compliant systems.

To verify the DEB package signatures:

sudo apt-get install debsig-verify
sudo debsig-import 4BACCAB36E7FE9A1 '{key URL}'
debsig-verify {DEB file}

debsig-import is available here.

Linux (TurboVNC 2.2.5 and earlier)

The RPM and DEB packages are signed using the following GPG key:

https://raw.githubusercontent.com/TurboVNC/repo/main/VGL-GPG-KEY-1024
or
https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xecf01671d05e2a105ff84dc46bbefa1972feb9ce

To verify the RPM package signatures:

sudo rpm --import '{key URL}'
rpm --checksig {RPM file}

To verify the DEB package signatures:

sudo apt-get install debsig-verify
sudo debsig-import 6BBEFA1972FEB9CE '{key URL}'
debsig-verify {DEB file}

debsig-import is available here.

NOTE: The DEB packages in TurboVNC 1.2 rc and earlier were not signed.

Mac (TurboVNC 2.2.2 and later)

The Mac TurboVNC Viewer app and DMG are signed using a Developer ID Application certificate obtained through the Apple Developer Program. The installer package (.pkg) is signed using a Developer ID Installer certificate.

To verify the Mac installer package/DMG signatures:

codesign -vv {DMG file}
hdid {DMG file}
cd /Volumes/TurboVNC-*
pkgutil --check-signature *.pkg

To verify the Mac TurboVNC Viewer app signature:

Install the package, then

codesign -vv /Applications/TurboVNC/*.app

Windows (TurboVNC 1.2 and later)

The Windows installers are signed using a code signing certificate.

Free code signing provided by SignPath.io. Certificate by SignPath Foundation.

To verify the Windows installer package signatures:

Right-click on the .exe file and look at the "Digital Signatures" tab. If you have the Windows SDK installed, you can also run:

signtool verify -pa {.exe file}
Creative Commons LicenseAll content on this web site is licensed under the Creative Commons Attribution 2.5 License. Any works containing material derived from this web site must cite The VirtualGL Project as the source of the material and list the current URL for the TurboVNC web site.

Edit - History - Print - Recent Changes - Search
Page last modified on December 02, 2023, at 11:05 AM