|
About TurboVNC
Reports Developer Info
Related Projects |
Digital SignaturesTo ensure the integrity of official TurboVNC releases, the files in each release are signed using the methods described below. Source Tarball (TurboVNC 2.2.6 and later)The official source tarball is signed using the following GPG key: https://raw.githubusercontent.com/TurboVNC/repo/main/VGL-GPG-KEY To verify the source tarball signature:
curl -sSL '{key URL}' | gpg --import -
gpg --verify {.sig file}
Source Tarball (TurboVNC 2.2.5 and earlier)The official source tarball is signed using the following GPG key: https://raw.githubusercontent.com/TurboVNC/repo/main/VGL-GPG-KEY-1024 To verify the source tarball signature:
curl -sSL '{key URL}' | gpg --import -
gpg --verify {.sig file}
Linux (TurboVNC 2.2.6 and later)The RPM and DEB packages are signed using the following GPG key: https://raw.githubusercontent.com/TurboVNC/repo/main/VGL-GPG-KEY To verify the RPM package signatures:
sudo rpm --import '{key URL}'
rpm --checksig {RPM file}
NOTE: The RPM packages in TurboVNC 3.0 beta1 and earlier (except for TurboVNC 2.2.x ESR) do not contain SHA-256 signatures, so it may not be possible to verify the signatures of those packages on systems that restrict the use of the SHA-1 algorithm. NOTE: The RPM packages in TurboVNC 3.0.1 and earlier do not contain SHA-256 header or payload digests, so it may not be possible to verify the signatures of those packages on FIPS-compliant systems. To verify the DEB package signatures:
sudo apt-get install debsig-verify
sudo debsig-import 4BACCAB36E7FE9A1 '{key URL}'
debsig-verify {DEB file}
Linux (TurboVNC 2.2.5 and earlier)The RPM and DEB packages are signed using the following GPG key: https://raw.githubusercontent.com/TurboVNC/repo/main/VGL-GPG-KEY-1024 To verify the RPM package signatures:
sudo rpm --import '{key URL}'
rpm --checksig {RPM file}
To verify the DEB package signatures:
sudo apt-get install debsig-verify
sudo debsig-import 6BBEFA1972FEB9CE '{key URL}'
debsig-verify {DEB file}
NOTE: The DEB packages in TurboVNC 1.2 rc and earlier were not signed. Mac (TurboVNC 2.2.2 and later)The Mac TurboVNC Viewer app and DMG are signed using a Developer ID Application certificate obtained through the Apple Developer Program. The installer package (.pkg) is signed using a Developer ID Installer certificate. To verify the Mac installer package/DMG signatures:
codesign -vv {DMG file}
hdid {DMG file}
cd /Volumes/TurboVNC-*
pkgutil --check-signature *.pkg
To verify the Mac TurboVNC Viewer app signature: Install the package, then codesign -vv /Applications/TurboVNC/*.app Windows (TurboVNC 1.2 and later)The Windows installers are signed using a code signing certificate. Free code signing provided by SignPath.io. Certificate by SignPath Foundation. To verify the Windows installer package signatures: Right-click on the .exe file and look at the "Digital Signatures" tab. If you have the Windows SDK installed, you can also run:
signtool verify -pa {.exe file}
|
 | All content on this web site is licensed under the Creative Commons Attribution 2.5 License. Any works containing material derived from this web site must cite The VirtualGL Project as the source of the material and list the current URL for the TurboVNC web site. |