GPG Signature Verification

This guide explains how to verify GPG signatures for Hubio Sync installation scripts and binaries to ensure they haven’t been tampered with.

Why Verify GPG Signatures?

GPG (GNU Privacy Guard) signatures provide cryptographic proof that:

• ✅ The file was created by Hubio (authenticity)
• ✅ The file hasn’t been modified since signing (integrity)
• ✅ You’re not downloading a malicious copy (security)

We strongly recommend verifying signatures, especially in production environments or security-sensitive contexts.

Quick Start

1. Import Hubio’s Public GPG Key

Download and import our official GPG public key:

# Download the key
curl -fsSL https://install.hubio.team/gpg/public-key.asc -o hubio.asc

# Import the key
gpg --import hubio.asc

Key Fingerprint: ABCD 1234 EFGH 5678 IJKL 9012 MNOP 3456 QRST 7890

Verify the fingerprint matches exactly before proceeding.

2. Download Binary and Signature

# Download binary
curl -LO https://github.com/hubio/hubio-sync/releases/latest/download/hubio-sync-linux-x64

# Download signature
curl -LO https://github.com/hubio/hubio-sync/releases/latest/download/hubio-sync-linux-x64.sig

3. Verify Signature

gpg --verify hubio-sync-linux-x64.sig hubio-sync-linux-x64

Expected output:

gpg: Signature made Mon 25 Nov 2025 10:00:00 AM UTC
gpg:                using RSA key ABCD1234EFGH5678IJKL9012MNOP3456QRST7890
gpg: Good signature from "Hubio Release Engineering <releases@hubio.com>" [unknown]

If you see Good signature, the verification succeeded! ✅

Platform-Specific Instructions

macOS

macOS includes gpg via Homebrew. If not installed:

# Install GPG via Homebrew
brew install gnupg

Verify installation script:

# Download script and signature
curl -fsSL https://install.hubio.team/install.sh -o install.sh
curl -fsSL https://install.hubio.team/install.sh.sig -o install.sh.sig

# Import Hubio GPG key
curl -fsSL https://install.hubio.team/gpg/public-key.asc | gpg --import

# Verify signature
gpg --verify install.sh.sig install.sh

Verify binary:

# Download for Apple Silicon
curl -LO https://github.com/hubio/hubio-sync/releases/latest/download/hubio-sync-darwin-arm64
curl -LO https://github.com/hubio/hubio-sync/releases/latest/download/hubio-sync-darwin-arm64.sig

# Import key
curl -fsSL https://install.hubio.team/gpg/public-key.asc | gpg --import

# Verify
gpg --verify hubio-sync-darwin-arm64.sig hubio-sync-darwin-arm64

Linux

Most Linux distributions include gpg by default.

Install GPG (if missing):

# Ubuntu/Debian
sudo apt install gnupg

# Fedora/RHEL
sudo dnf install gnupg

# Arch Linux
sudo pacman -S gnupg

Verify installation script:

# Download script and signature
curl -fsSL https://install.hubio.team/install.sh -o install.sh
curl -fsSL https://install.hubio.team/install.sh.sig -o install.sh.sig

# Import Hubio GPG key
curl -fsSL https://install.hubio.team/gpg/public-key.asc | gpg --import

# Verify signature
gpg --verify install.sh.sig install.sh

Verify binary:

# Download binary
curl -LO https://github.com/hubio/hubio-sync/releases/latest/download/hubio-sync-linux-x64
curl -LO https://github.com/hubio/hubio-sync/releases/latest/download/hubio-sync-linux-x64.sig

# Import key
curl -fsSL https://install.hubio.team/gpg/public-key.asc | gpg --import

# Verify
gpg --verify hubio-sync-linux-x64.sig hubio-sync-linux-x64

Windows

Windows doesn’t include GPG by default. Install via:

Option 1: Gpg4win (Recommended)

1. Download from gpg4win.org
2. Install with default options
3. Open PowerShell

Option 2: Chocolatey

choco install gnupg

Verify installation script:

# Download script and signature
Invoke-RestMethod https://install.hubio.team/install.ps1 -OutFile install.ps1
Invoke-RestMethod https://install.hubio.team/install.ps1.sig -OutFile install.ps1.sig

# Import Hubio GPG key
Invoke-RestMethod https://install.hubio.team/gpg/public-key.asc | gpg --import

# Verify signature
gpg --verify install.ps1.sig install.ps1

Verify binary:

# Download binary
curl -LO https://github.com/hubio/hubio-sync/releases/latest/download/hubio-sync-windows-x64.exe
curl -LO https://github.com/hubio/hubio-sync/releases/latest/download/hubio-sync-windows-x64.exe.sig

# Import key
Invoke-RestMethod https://install.hubio.team/gpg/public-key.asc | gpg --import

# Verify
gpg --verify hubio-sync-windows-x64.exe.sig hubio-sync-windows-x64.exe

Understanding GPG Output

Good Signature (Success)

gpg: Good signature from "Hubio Release Engineering <releases@hubio.com>" [unknown]

✅ Verification succeeded. The file is authentic and unmodified.

The [unknown] trust level is normal for keys you haven’t explicitly trusted. The signature is still valid.

Bad Signature (Failure)

gpg: BAD signature from "Hubio Release Engineering <releases@hubio.com>"

❌ DO NOT USE THIS FILE. The file has been modified or corrupted.

Delete the file immediately and download again from the official source.

No Public Key

gpg: Can't check signature: No public key

⚠️ You haven’t imported the Hubio GPG key yet. Follow the import instructions above.

Advanced Usage

Verify Key Fingerprint

Always verify the key fingerprint matches our official fingerprint:

gpg --fingerprint releases@hubio.com

Official Fingerprint:

ABCD 1234 EFGH 5678 IJKL  9012 MNOP 3456 QRST 7890

If the fingerprint doesn’t match, DO NOT TRUST THE KEY.

Trust the Key (Optional)

To remove the [unknown] trust warning:

# Edit key trust
gpg --edit-key releases@hubio.com

# At the gpg> prompt:
gpg> trust
# Select "5 = I trust ultimately"
gpg> quit

Warning: Only trust keys after verifying the fingerprint.

Batch Verification

Verify multiple files at once:

# Verify all .sig files in current directory
for file in *.sig; do
  gpg --verify "$file" "${file%.sig}"
done

SHA-256 Checksum Verification

In addition to GPG signatures, all releases include SHA-256 checksums.

Download Checksums File

curl -LO https://github.com/hubio/hubio-sync/releases/latest/download/SHA256SUMS

Verify Checksum

macOS/Linux:

# Verify checksum matches
shasum -a 256 -c SHA256SUMS --ignore-missing

Windows (PowerShell):

# Compute checksum
Get-FileHash hubio-sync-windows-x64.exe -Algorithm SHA256

# Compare with SHA256SUMS file manually

Troubleshooting

”gpg: command not found”

Install GPG:

• macOS: brew install gnupg
• Ubuntu/Debian: sudo apt install gnupg
• Fedora/RHEL: sudo dnf install gnupg
• Windows: Download from gpg4win.org

”gpg: keyserver receive failed”

The keyserver may be down. Import the key directly instead:

curl -fsSL https://install.hubio.team/gpg/public-key.asc | gpg --import

“WARNING: This key is not certified with a trusted signature”

This is normal for keys you haven’t explicitly trusted. The signature is still valid if you see Good signature.

To trust the key, verify the fingerprint matches our official fingerprint, then use gpg --edit-key to set trust level.

Security Best Practices

1. Always verify signatures before running installation scripts
2. Verify the key fingerprint before trusting a new GPG key
3. Use HTTPS when downloading keys and signatures
4. Keep GPG updated with the latest security patches
5. Report suspicious signatures to security@hubio.com immediately

Troubleshooting GPG Verification

If you encounter issues with GPG verification:

1. Check system time: GPG signature verification requires accurate system time
2. Verify key import: Run gpg --list-keys releases@hubio.com
3. Re-download files: Corrupt downloads can cause verification failures
4. Contact support: security@hubio.com for security-related questions

Related Documentation

• Security Guide - Overall security best practices
• Alternative Installation Methods - Other installation options
• Troubleshooting Guide - Common installation issues