How to verify ProcessOne downloads integrity

Integrity of files downloaded from ProcessOne website can be verified with checksum information.
To validate your download:

  1. Download both the file.ext and the file.ext.sum.
  2. On Linux, type the following command:
    sha256sum -c file.ext.sum
    

    On macOS, type the following command:

    openssl sha256 file.ext
    tail -f file.ext.sum
    

    Compare the first hash with the contents of the file.ext.sum file.

Note: Replace file.ext by the actual name of the downloaded file.

Verifying signature

The code distributed by ProcessOne is signed. To check the signature, you first need to have GNUPG installed and configured on your system. Then, you can go through the following steps:

  1. Import ProcessOne public keys into your keyring with the following command. This has to be done only once:
    wget -qO - https://www.process-one.net/downloads/KEYS | gpg --import
    
  2. Download the file.ext.asc along with your file.ext.

  3. Check the ProcessOne signature with the following command:

    gpg --verify file.tar.gz.asc`
    

    Successful verification contains the text Good signature from Process-one.


Let us know what you think 💬


2 thoughts on “How to verify ProcessOne downloads integrity

  1. The link to the GPG keys you’ve provided results in an 404. The file is not there. Please correct this, because I’d like to verify your packages.

Leave a Reply to sperg Cancel Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.