// Verify
Verify downloads
Every Hugin release is signed with Ed25519. Verify authenticity before you run anything.
Why verify?
SHA256 checksums only verify that a download wasn't corrupted in transit. They don't prove the download came from us.
Ed25519 signatures prove authenticity. The signing key never leaves our CI.
Using the Hugin CLI
The fastest way:
hugin verify hugin-cli-linux-x86_64.tar.gzManual verification
With Python
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
import base64
pub_hex = "a61ff9262c4509a7879ddaa5a8d86345ef805f6ddced28b097bf58dae270618b"
pub_key = Ed25519PublicKey.from_public_bytes(bytes.fromhex(pub_hex))
with open("hugin-cli-linux-x86_64.tar.gz", "rb") as f:
data = f.read()
with open("hugin-cli-linux-x86_64.tar.gz.sig") as f:
sig_line = f.read().strip()
sig_b64 = sig_line.removeprefix("hugin-sig-ed25519:")
signature = base64.b64decode(sig_b64)
pub_key.verify(signature, data)
print("Signature valid.")With OpenSSL (3.0+)
SIG_B64=$(cut -d: -f2 hugin-cli-linux-x86_64.tar.gz.sig)
echo "$SIG_B64" | base64 -d > /tmp/sig.raw
echo "MCowBQYDK2VwAyEAph/5JixFCaeHndqlqNhjRe+AX23c7Siwl79Y2uJwYYs=" | \
base64 -d | openssl pkey -inform DER -pubin -outform PEM -out /tmp/release.pub
openssl pkeyutl -verify -pubin -inkey /tmp/release.pub \
-rawin -in hugin-cli-linux-x86_64.tar.gz -sigfile /tmp/sig.rawSigning key
Ed25519 public key:
Hex: a61ff9262c4509a7879ddaa5a8d86345ef805f6ddced28b097bf58dae270618bBase64: ph/5JixFCaeHndqlqNhjRe+AX23c7Siwl79Y2uJwYYs=Machine-readable: GET /signing-key
Signature format
Each release artifact has a .sig sidecar:
hugin-sig-ed25519:<base64(64-byte-Ed25519-signature)>