Docs Downloads & Releases GPG Signature Verification Instructions
GPG Signature Verification Instructions
How to verify the authenticity of Bervice release files using our published GPG public key. This ensures your download hasn’t been tampered with.
1. Why Verify with GPG?
GPG (GNU Privacy Guard) verification confirms that a file was signed by the Bervice team and hasn’t been altered. Even if the SHA-256 checksum matches, only GPG verification guarantees the signer’s identity.
2. Get the Bervice Public Key
- Download our public key: bervice-pgp.asc
- Import into GPG:
gpg --import bervice-pgp.asc
- Verify the key fingerprint matches what’s listed on our official website and social channels:
gpg --fingerprint "Bervice Release Signing Key"
3. Download File & Signature
For each release file (e.g., bervice-v1.0.0-win-x64.exe), download its detached signature file (.sig or .asc).
bervice-v1.0.0-win-x64.exebervice-v1.0.0-win-x64.exe.sig
4. Verify the Signature
Run the GPG verification command in your terminal:
gpg --verify bervice-v1.0.0-win-x64.exe.sig bervice-v1.0.0-win-x64.exe
If the signature is valid and matches our public key, you will see output like:
gpg: Signature made Wed 31 Jul 2025 02:45:12 PM UTC using RSA key ID ABC12345 gpg: Good signature from "Bervice Release Signing Key `[email protected]`
5. Troubleshooting
- Key not found: Make sure you imported our key before verifying.
- Bad signature: The file may be corrupted or tampered with — delete and re-download from our official site.
- Unknown key warning: This means you haven’t trusted the key yet — run:
gpg --edit-key "Bervice Release Signing Key" gpg`>` trust
6. Best Practices
- Always verify both the SHA-256 checksum and GPG signature for maximum security.
- Download keys and files over HTTPS from official domains only.
- Consider storing our public key in a secure keyring for future verifications.
For more on file verification, see Verify Downloads.